From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] ipsec: Add script to ensure VPNs are always on Date: Thu, 06 Feb 2020 15:06:20 -0500 Message-ID: In-Reply-To: <5CECA878-928D-4859-9053-1F4DD59B15F0@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8715335516616781041==" List-Id: --===============8715335516616781041== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 02/06/2020 10:03 AM, Michael Tremer wrote: > Hi, >=20 >> On 5 Feb 2020, at 17:36, Tom Rymes wrote: [snip] >> Sorry for being unclear. There are currently eight options for "Inactivity= Timeout", including "Unlimited". I would propose that the script you are add= ing should only bring back up tunnels whose Inactivity Timeout is set to "Unl= imited". A tunnel with a timeout of one hour would time out, go down, and the= n the script should ignore it. >=20 > The inactivity timeout is only active when the connection is in =E2=80=9Con= demand=E2=80=9D mode. The script ignores connections in that mode, so nothin= g will happen here. Right, but I had proposed to combine "Always On" and "On Demand" into=20 one, as they will effectively be the same after this proposed change.=20 After this change, unless I am missing something, the only difference=20 will be the "Inactivity Timeout". If "On Demand" and "Always On" are combined into "Normal" (as opposed to=20 "Wait for connection initiation"), then the script can use the Inactivty=20 timeout to determine which tunnels to bring up. Come to think of it,=20 shouldn't the script also bring up any "On-Demand" tunnels that are set=20 to a timeout of "Unlimited"? I know that we run *all* of our tunnels as=20 "On-Demand/Unlimited" because auto=3Droute is so much more reliable. It's not really a big deal either way, but if the only difference=20 between "On Demand" and "Always On" after this proposed change is going=20 to be the inactivity timeout, then I'd say merge the two into one and=20 use the Inactivity Timeout of "Unlimited" to denote which tunnels should=20 always be up. It's cleaner and less confusing. My $0.02. Tom --===============8715335516616781041==--