From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Strongswan and auto=start Date: Tue, 05 Mar 2019 16:52:33 +0000 Message-ID: In-Reply-To: <2803d245-1060-44ce-a2ac-326392933ce8@rymes.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1366198363681130286==" List-Id: --===============1366198363681130286== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, Good question. It would be nice if we could have some good documentation abou= t parameters like the inactivity timeout on the wiki. There is no good default for that I think. I could live with unlimited. My tu= nnels are usually all over the place because it doesn=E2=80=99t matter as the= y all have activity all the time=E2=80=A6 -Michael > On 5 Mar 2019, at 16:51, Tom Rymes wrote: >=20 > Great news, Michael, thanks for putting the work in on this. It sure looks = like the right solution to me. >=20 > I would suggest that we consider changing the default for INACTIVIY_TIMEOUT= to unlimited, but I can see how others might differ on that. >=20 > Tom >=20 > On 03/05/2019 10:28 AM, Michael Tremer wrote: >> Hi, >> I got it. Yay! >> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Deb09c90ef4= 7606f616201fddc5e783149aee9228 >> The patch looks simple, but this was a lot of work :( >> And I changed the default straight away: >> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Db15b70bc6b= 6b5f6d8b62e5b730b68d86f59810e6 >> This is what we want, isn=E2=80=99t it? >> Best, >> -Michael >>> On 27 Feb 2019, at 17:12, Tom Rymes wrote: >>>=20 >>> Yes, my apologies, I thought I had sent that message days ago, but it was= sitting there waiting to be sent, and it clearly could have been more, um, c= lear. >>>=20 >>> What I meant was that, for years, we routinely modified the CGI to change= the line that wrote out =E2=80=9Cauto=3Dstart=E2=80=9D to =E2=80=9Cauto=3Dro= ute=E2=80=9D. This made it so that the tunnel configurations were automatical= ly written out correctly, and we just had to remember to modify that one line= after updates when the CGI was overwritten (like we currently do for unbound= and .internal domains). >>>=20 >>> Would it not be possible to revert to the old CGI, then make that one mod= ification to have all Net-to-Net tunnels use auto=3Droute? We could then add = in a timeout function and drop down if folks would like to retain the on-dema= nd functionality (though I think that unlimited should be the default, as I i= magine most net-to-net tunnels are intended to be always-on). >>>=20 >>> Tom >>>=20 >>>> On Feb 27, 2019, at 11:47 AM, Michael Tremer wrote: >>>>=20 >>>> Hi, >>>>=20 >>>> No, auto=3Dstart was the default. >>>>=20 >>>> I would prefer to have auto=3Droute as the default. >>>>=20 >>>> When you say you did that for years you are referring to your own setup,= right? >>>>=20 >>>> -Michael >>>>=20 >>>>> On 25 Feb 2019, at 23:16, Tom Rymes wrote: >>>>>=20 >>>>> Would it not be possible to revert to the old CGI, prior to On-Demand a= nd change the auto=3Dstart line to auto=3Droute? We did that for years. >>>>>=20 >>>>> Tom >>>>>=20 >>>>>> On Feb 18, 2019, at 6:43 AM, Michael Tremer wrote: >>>>>>=20 >>>>>> Hi, >>>>>>=20 >>>>>> I tried to change this in the CGI, but it is not so easy. >>>>>>=20 >>>>>> But I would be in favour of On-Demand being the default. >>>>>>=20 >>>>>> Best, >>>>>> -Michael >>>>>>=20 >>>>>>> On 18 Feb 2019, at 04:44, Tom Rymes wrote: >>>>>>>=20 >>>>>>> A while back, I made a feature request to allow configuration of the = Strongswan =E2=80=9Cauto=E2=80=9D parameter via the WUI. This made its way in= to the WUI as the =E2=80=9COn-Demand=E2=80=9D feature a while back (thank you= !!!) https://bugzilla.ipfire.org/show_bug.cgi?id=3D10733 >>>>>>>=20 >>>>>>> At the time, I had posted a few links to messages on the StrongSwan m= ailing list that indicated that auto=3Droute results in superior reliability,= and our experience bears this out, but the default remains =E2=80=9Cauto=3Ds= tart=E2=80=9D. >>>>>>>=20 >>>>>>> In order to support Windows roadwarrior connections, IPFire=E2=80=99s= host cert needs a dns Subject Alt Name, so I had to delete all of our tunnel= s and certs, then recreate them. This meant that I had to change both sides o= f ~20 tunnels from the default =E2=80=9CAlways On=E2=80=9D (auto=3Dstart) to = =E2=80=9COn Demand=E2=80=9D (auto=3Droute). >>>>>>>=20 >>>>>>> Coincidentally, this message from one of the developers came across t= he StrongSwan Users list tonight, which basically makes clear that auto=3Dsta= rt should not be used: https://lists.strongswan.org/pipermail/users/2019-Febr= uary/013373.html >>>>>>>=20 >>>>>>> The relevant quotation: =E2=80=9CUse auto=3Droute. Auto=3Dstart is no= t reliable.=E2=80=9D >>>>>>>=20 >>>>>>> This raises the question as to why auto=3Dstart is still the default = in IPFire. >>>>>>>=20 >>>>>>> Thoughts? >>>>>>>=20 >>>>>>> Tom >>>>>>=20 >>>>>=20 >>>>=20 --===============1366198363681130286==--