> Hi Stig, > Yes, you are correct. > Modifying that value does the trick. > It's logical actually. After Vyatta boots, it tries automatically to > bring up the tunnel. That's not bad, but it would be nice if we could > specify that from the cli. If the tunnel is not needed, why it should be > up when the machine starts?
Hi Adrian, I'm glad that worked for you. We debated a bit whether to make that configurable or try to pick a mode that work for most cases. For most new users its confusing if the tunnel doesn't come up when they can ping the other side of the tunnel. There was also some concern that the byte counter under "show vpn ipsec sa statistics" would be lost every time the tunnel when up/down. But I think you bring up a good point that it should be configurable so I've opened an enhancement request (https://bugzilla.vyatta.com/show_bug.cgi?id=2506). Until that gets implemented if you would like to change the default behavior of your vyatta you can edit /opt/vyatta/sbin/vpn-config.pl and do the same replacement of "auto=start" with "auto=add". > By the way, do you guys plan to add support for certificate > authentication for IKE(configure on Vyatta a trusted CA, specify a > certificate obtained from this CA, do CRL checking...) ? If those features are supported by OpenSwan (which our vpn is built upon), then it's not difficult to integrate new feature. It's mostly a matter of prioritizing limited development resources, but you can vote for a feature on the community wiki: http://www.vyatta.com/twiki/bin/view/Community/TopEnhancements stig > Thanks, > Adrian _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
