Hello Andreas, set up all the connections with
auto=route which will install only the corresponding IPsec policies in the Linux kernel. As soon as the first packet wants to leave a host in direction to another host for which a secure connection is defined, the matching IPsec policy will trigger the IKE daemon and cause it to negotiate the IPsec tunnel just in time. Best regards Andreas Andreas Schuldei wrote: > hi! > > i would like to inititate my SAa "just in time", meaning that they > should only set up the secure connection when there is real traffic, > not ahead of time. > > background to that is that i want to do a full mash of host-to-host > transports, both within one site in order to get rid of firewalls per > site, and between sites, to avoid setting up tunnels between sites. > > not every host will talk to every other host all the time, but they > might need to talk to any given host within the whole setup sooner or > later. in order to not having to initiate a connection to every other > host at ipsec startup i would like to configure strongswan in a way > that it would only set up the secure host-to-host transport when its > needed. otherwise i might be DoSing myself when a whole site gets cut > off from the net and then later comes back again and a few hundret > servers initiate connections to the rest of the network all at once. > > how can i solve that? > > /andreas -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
