Hello Andreas Steffen, this is an interesting topic. I'm wondering whether people should be advised to add
dpdaction=hold to their ipsec.conf. I tried to setup a configuration that is similar to Andreas Schuldei's. The thing that was special about my setup is that it uses an ADSL dialup connection that disconnects every 24 hours. As a result, the ppp0 interface disappears and reappears shortly after. The problem I experienced was that the tunnel did not survive this short outage and strongSwan failed the connection. What made me worry is that strongSwan deleted the IPsec policy completely. The consequence was that traffic was sent unprotected i.e. unencrypted! If I set auto=route, I expect strongSwan to setup the IPsec policy and refrain from deleting it *in any event*. Please correct me when I'm wrong. -Daniel Andreas Steffen wrote: > Hello Andreas, > > set up all the connections with > > auto=route > > which will install only the corresponding IPsec policies in the > Linux kernel. As soon as the first packet wants to leave a host > in direction to another host for which a secure connection is > defined, the matching IPsec policy will trigger the IKE daemon > and cause it to negotiate the IPsec tunnel just in time. > > Best regards > > Andreas > > Andreas Schuldei wrote: >> hi! >> >> i would like to inititate my SAa "just in time", meaning that they >> should only set up the secure connection when there is real traffic, >> not ahead of time. >> >> background to that is that i want to do a full mash of host-to-host >> transports, both within one site in order to get rid of firewalls per >> site, and between sites, to avoid setting up tunnels between sites. >> >> not every host will talk to every other host all the time, but they >> might need to talk to any given host within the whole setup sooner or >> later. in order to not having to initiate a connection to every other >> host at ipsec startup i would like to configure strongswan in a way >> that it would only set up the secure host-to-host transport when its >> needed. otherwise i might be DoSing myself when a whole site gets cut >> off from the net and then later comes back again and a few hundret >> servers initiate connections to the rest of the network all at once. >> >> how can i solve that? >> >> /andreas > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
