Michael Tremer

Feature Spotlight: On-Demand IPsec VPNs
by Michael Tremer, May 1

Although this is not really rocket science, I find this feature exciting. VPNs that switch on when you need them and switch off when they are idle. It is as simple as that. The IPsec stack inside IPFire is under constant development and improvement. With almost every single update, we introduced some minor new feature or added ciphers, integrity algorithms or simply just fixed bugs.

Today, I would like to highlight this one feature though: On-Demand VPNs

It works in that way, that strongSwan, the software that is negotiating IPsec connections is installing a trigger in the kernel. When ever a packet is sent from a client on the local network to a destination on the other side of the VPN, it will hit that trigger which then causes strongSwan to try to establish the connection.

strongSwan is doing all sorts of protocol negotiations, but as soon as a VPN connection is established, the kernel is doing the heavy lifting; i.e. encrypting and decryption as well as routing packets. It is really fast doing that and given the right hardware, IPFire is able to route 10G VPN connections with solid encryption of course!

During the establishment of a VPN connection, the client will continue trying the other end of VPN. Some retransmissions might happen if opening up the VPN takes a little bit longer. But as soon as it is up, the connection is ready for use as usual.

Has no packet been transferred over the VPN for 15 minutes, the connection will automatically be shut down. That means that the system can save some resources since it does not constantly need to re-negotiate the IPsec Security Association and send keep-alive packets. On some weaker systems that will save some resources.

IPsec is however quite lightweight so that this is not really a problem to keep up a tunnel. But it adds up quickly if you have a number of them. That is one of the main motivations to build this in the first place. Some other reasons are that strongSwan tries a little bit harder to establish the tunnel if there is traffic (because of the triggers) which helps to keep up flaky connections, too.

How to?

To enable all this goodness, there is not much to do. Just go to the “Advanced Settings” section of your IPsec net-to-net connection and select “On-Demand” as “Start Action”. That is all there is to do. The other (and default) option is too keep up the connection at all times.

The status will be shown on the web user interface as “ON-DEMAND” when the connection is idle. If it is up, it will show as “CONNECTED” as it did before.

Posted: May 1 • 854 views