Couldn't you get the same thing with the VPN dead peer-detect set to HOLD?
Under strongswan for example, their's a setting that would allow you to auto=start or auto=ignore, if you could add this, you should be okay. Here's how my vyatta ipsec.conf looks; conn peer-1.1.1.1-tunnel-1 left=1.1.1.1. right=2.2.2.2 leftsubnet=192.168.254.0/24 rightsubnet=192.168.255.0/24 ike=3des-md5-modp1024 ikelifetime=28800s aggrmode=no dpddelay=30s dpdtimeout=60s dpdaction=restart esp=3des-md5 keylife=3000s rekeymargin=540s type=tunnel pfs=no compress=yes authby=secret auto=start If the last line was set to auto=ignore, than I would think ipsec would be started and the host would wait for the far-end ( right ) to initiated the session. _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users