Ken, You are right that changing the "auto=start" line will change this behavior. Initially our goal was to have a fairly simple configuration to bring-up a tunnel, but over time we'll need to add more options to the vpn cli. The last time this came up I opened an enhancement request to make this configurable (https://bugzilla.vyatta.com/show_bug.cgi?id=2506). Maybe I should increase the priority of that bug?
Note: changes to /etc/ipsec.conf will be lost on a reboot. If you want to change the behavior such that it will survive a reboot you can edit /opt/vyatta/libexec/xorp/vpn-config.pl (search for "auto=start"). stig > Couldn't you get the same thing with the VPN dead peer-detect set to > HOLD? > > Under strongswan for example, their's a setting that would allow you to > auto=start or auto=ignore, if you could add this, you should be okay. > Here's how my vyatta ipsec.conf looks; > > conn peer-1.1.1.1-tunnel-1 > left=1.1.1.1. > right=2.2.2.2 > leftsubnet=192.168.254.0/24 > rightsubnet=192.168.255.0/24 > ike=3des-md5-modp1024 > ikelifetime=28800s > aggrmode=no > dpddelay=30s > dpdtimeout=60s > dpdaction=restart > esp=3des-md5 > keylife=3000s > rekeymargin=540s > type=tunnel > pfs=no > compress=yes > authby=secret > auto=start > > If the last line was set to auto=ignore, than I would think ipsec would > be started and the host would wait for the far-end ( right ) to > initiated the session. > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users