The auto= setting indeed implies what the desired dpdaction would be, but...
What about a more elaborate scenario when you need to have a connection ready, but not start it right away (e.g. when you need to flip tunnels on the fly)? My first thought would be to configure the initiator using auto=add + dpdaction=restart. This is what I actually do during my tests that involve embedded equipment, where Libreswan is only part of the whole infrastructure. If course, we could explicitly --add/--delete/--replace connections in this case... Oleg On Thu, Feb 16, 2017 at 7:41 PM, Paul Wouters <[email protected]> wrote: > On Thu, 16 Feb 2017, Tuomo Soini wrote: > > if auto=start you want dpd to restart tunnel >> if auto=route|ondemand you want dpd to hold tunnel >> if auto=add you want dpd to clear tunnel >> >> If you have other requirement than this I'd like to hear about that. >> With explanation. >> >> So removing whole dpdaction= would be correct thing to do >> > > I had forgotten about that discussion. Tuomo is right. The configuration > makes it obvious what action we would want to do - if we enabled DPD. > > but still, if we now set defaults for dpdtimeout and dpddelay we enable >> dpd for all vpn tunnels which might not be wanted effect. That would >> also happen if we add dpd/liveness=on|off switch. >> >> So any real fix requires breaking some configuration either by enabling >> liveness checks or disabling them. >> > > We could introduce dpd/liveness=on|off, default to off but if we see > delay+timeout we set it to on and log a warning. In a few years, we could > remove this implicit "on switch". And when the on/off switch is used, we > do populate with the default values for delay/timeout. > > Only choise which doesn't break anything is not to set default values >> and require dpdtimeout and dpddelay to be set to enable dpd/liveness >> checks to happen. >> > > But it does not fix things either :) > > Paul >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
