Hello guys,
sorry for my absence in the last few days and weeks. This list has been more or less read-only for me and I would like to chance this. I would like to see more people involved in this project and take part in what we do here. So it is important that everyone is in the know about what is going on.
This morning I worked on a small feature which is probably quite interesting: On-demand IPsec VPN tunnels.
What does it do? It essentially installs triggers in the kernel instead of bringing up the VPN tunnel right away. As soon as the kernel is receiving a packet that is supposed to be sent through that VPN, it will ask strongSwan to bring up the tunnel and send the packet.
When the VPN tunnel has not transferred any packets for 15 minutes, it will terminate it and restart it when it is needed again.
Why is this such a great feature? It is simple, but in scenarios with many VPN tunnels (e.g. headquarters and many branch offices) it does not always make sense to keep all tunnels up all of the time. This feature will shut down any tunnels that are not needed and keep resources free.
This is probably not much, but we have seen machines with only few entropy and we have seen IPsec becoming unstable then.
The web user interface shows the status if a tunnel is idle or connected.
Patches are in next:
http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=dcb406cc675c42f9add4a... http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=1ee1666ee45268db405a6... http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=8057ab15b9efeecf8eca7...
It would be cool if you all could have a look at them, test them, maybe complete translations for any languages that you speak, etc.
I am not sure if this will cause some problems with some applications that rely on fast establishing of connections.
Looking forward to hearing your feedback!
Best, -Michael
-
Michael Tremer