From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Re: Strongswan and auto=start Date: Wed, 27 Feb 2019 12:12:19 -0500 Message-ID: In-Reply-To: <03715558-2162-4317-B4A9-1DE8E24F161B@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3018568055214626174==" List-Id: --===============3018568055214626174== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Yes, my apologies, I thought I had sent that message days ago, but it was sit= ting there waiting to be sent, and it clearly could have been more, um, clear. What I meant was that, for years, we routinely modified the CGI to change the= line that wrote out =E2=80=9Cauto=3Dstart=E2=80=9D to =E2=80=9Cauto=3Droute= =E2=80=9D. This made it so that the tunnel configurations were automatically = written out correctly, and we just had to remember to modify that one line af= ter updates when the CGI was overwritten (like we currently do for unbound an= d .internal domains). Would it not be possible to revert to the old CGI, then make that one modific= ation to have all Net-to-Net tunnels use auto=3Droute? We could then add in a= timeout function and drop down if folks would like to retain the on-demand f= unctionality (though I think that unlimited should be the default, as I imagi= ne most net-to-net tunnels are intended to be always-on). Tom > On Feb 27, 2019, at 11:47 AM, Michael Tremer = wrote: >=20 > Hi, >=20 > No, auto=3Dstart was the default. >=20 > I would prefer to have auto=3Droute as the default. >=20 > When you say you did that for years you are referring to your own setup, ri= ght? >=20 > -Michael >=20 >> On 25 Feb 2019, at 23:16, Tom Rymes wrote: >>=20 >> Would it not be possible to revert to the old CGI, prior to On-Demand and = change the auto=3Dstart line to auto=3Droute? We did that for years. >>=20 >> Tom >>=20 >>> On Feb 18, 2019, at 6:43 AM, Michael Tremer = wrote: >>>=20 >>> Hi, >>>=20 >>> I tried to change this in the CGI, but it is not so easy. >>>=20 >>> But I would be in favour of On-Demand being the default. >>>=20 >>> Best, >>> -Michael >>>=20 >>>> On 18 Feb 2019, at 04:44, Tom Rymes wrote: >>>>=20 >>>> A while back, I made a feature request to allow configuration of the Str= ongswan =E2=80=9Cauto=E2=80=9D parameter via the WUI. This made its way into = the WUI as the =E2=80=9COn-Demand=E2=80=9D feature a while back (thank you!!!= ) https://bugzilla.ipfire.org/show_bug.cgi?id=3D10733 >>>>=20 >>>> At the time, I had posted a few links to messages on the StrongSwan mail= ing list that indicated that auto=3Droute results in superior reliability, an= d our experience bears this out, but the default remains =E2=80=9Cauto=3Dstar= t=E2=80=9D. >>>>=20 >>>> In order to support Windows roadwarrior connections, IPFire=E2=80=99s ho= st cert needs a dns Subject Alt Name, so I had to delete all of our tunnels a= nd certs, then recreate them. This meant that I had to change both sides of ~= 20 tunnels from the default =E2=80=9CAlways On=E2=80=9D (auto=3Dstart) to =E2= =80=9COn Demand=E2=80=9D (auto=3Droute). >>>>=20 >>>> Coincidentally, this message from one of the developers came across the = StrongSwan Users list tonight, which basically makes clear that auto=3Dstart = should not be used: https://lists.strongswan.org/pipermail/users/2019-Februar= y/013373.html >>>>=20 >>>> The relevant quotation: =E2=80=9CUse auto=3Droute. Auto=3Dstart is not r= eliable.=E2=80=9D >>>>=20 >>>> This raises the question as to why auto=3Dstart is still the default in = IPFire. >>>>=20 >>>> Thoughts? >>>>=20 >>>> Tom >>>=20 >>=20 >=20 --===============3018568055214626174==--