Feature #3806
closed
Strongswan and CARP, initiator options
0%
Description
Putting this in a ticket so it isn't forgotten:
Currently strongswan attempts to initiate, which may not play well with CARP. It would be necessary in that case to be able to configure strongswan to selectively either act as initiator or as a passive responder.
We could also do a similar action to OpenVPN where we automatically account for this when a CARP VIP is detected for binding.
Updated by Ermal Luçi almost 11 years ago
- Status changed from New to Feedback
Can you update to latest snapshots and test!
Updated by
Updated by Jim Pingle almost 11 years ago
- Status changed from Feedback to New
It does act as a responder now rather than an initiator, but it would be nice to have a selector on P1 to control that behavior as an option. We occasionally get asked about that capability. Given the possible values of strongswan's auto= setting in ipsec.conf, we could have the following choices:
route - Initiate for tunnel traffic (default)
start - Always initiate immediately
add - Respond only, never initiate
Updated by Ermal Luçi almost 11 years ago
For IKEv1 there are complication to adding this.
It will mean that if you have more than one phase2 for IKEv1 it will install only the first phase2 and not the others.
For me its better to just have to click on diag_ipsec.php connect or let the traffic trigger tunnel connection whenever needed rather than have this option at all.
Updated by Ermal Luçi almost 11 years ago
- Target version changed from 2.2 to Future
It will be investigated on the future.
Updated by Kill Bill almost 10 years ago
Jim P wrote:
It does act as a responder now rather than an initiator, but it would be nice to have a selector on P1 to control that behavior as an option.
This was done in #4360
Updated by Chris Buechler almost 10 years ago
- Status changed from New to Resolved
- Target version deleted (
Future)
#4360 covers part of this, the remainder covered by the change from start to route pre-2.2.0