Connect On Demand?

It already does that. Try connecting via the client and then waiting until the key lifetime expires. If you' re not sending packets across the VPN connection, the VPN tunnel will not renegotiate. Instead it will go into an idle state until you attempt to access a resource through the VPN. At that time it will establish the tunnel again with a new key lifetime and send your request across the VPN.

Yes, it appears to do that IF the tunnel is already connected. But if the state is Down, as it is when the machine (in this case a laptop) is initially started up, (at least on my beater laptop) it doesn' t automically start up the tunnel when an attempt is made to reach the remote network. I really want the VPN equivalent of " dial this remote network when it is not available" .

Ok, I see what you' re saying. It' s too bad there is no " Connect on Startup" option like there was on the SSH Sentinel client that Fortigate used to use. It sounds like that' s the feature you' re looking for. Perhaps that' s a feature they will add in the future.

No this client does not have that feature, but you aren' t restricted to using this one client either. netscreen has a client that does exactly what you are asking for