I have a problem with Ipsec. The generated policies are assigned a “required” level. This is problematic because if a client connects to me with Ipsec, a policy is generated to require all further traffic to be encrypted… but after the SA’s time out and the client decides to connect without Ipsec, she will not be able to do so. In fact no further unencrypted connections from that IP will be possible ever, unless I manually flush the (already non existing SA’s) which will clear the generated (dynamic) policies. There is no way to clear dynamic policies …
A solution to this would be to be able to set the level in peers for the generated policy. So even if I still could not delete the policy, at least it would be “use” level so that non ipsec communication would be possible.
I think making the level part of the peer template would make ipsec usable for dynamic IP VPN use. Right now it works only if customers never mix ipsec and non-ipsec connections, but when they do they will not be able to go back to non-ipsec… you may think that this is not important, but different client applications support different L2TP. Apple requires IPSEC, while it is optional for windows and non-existent for DD-WRT or other SOHO wifi routers and other small tabletop devices. So people do mix ipsec with non-ipsec even if they don’t know about it and just end up running into problems.
GL