> Remember that tunnels will be brought down when their SAs expire and
> there's no immediate traffic to bring it back up. Tunnel creation is
> usually pretty quick (a second or two) so usually theres no issue with
> rebuilding it after a drop. I wonder if it would be possible in the future
> to add a "persistant" option that would cause each endpoint to ping the
> other across the tunnel at predefined intervals. Honestly, I don't know
> how useful that is, but its something to ponder. I guess.
A persistent option would be very useful. I have a Watchguard SOHO at a
remote site and it has an option to ping a specified address. I use this
to ping a local address and hence keep the tunnel up.
Does anyone have any further tips for using Monowall/IPSEC with DHCP on
the WAN? I have a such a beast at home linked into my Watchguard Firebox
at work. It works great, set up was a breeze, docs are great. Much
easier than the SOHO.
Trouble is, everytime my DHCP lease with my ISP expires, I lose the
tunnel. Trying to reconnect from home doesn't re-establish the link and
under Diagnostics/IPSEC I get multiple SAD/SPD entries. I tried this
on v1.0 and v1.1b14 - same result.
The only way I get the link back is to reboot Monowall. I guess just
restarting IPSEC would probably do it. Is there a way to restart the
tunnel when the WAN address changes? Does this happen anyway?