[strongSwan] virtual IP assignement fails if previous tunnel not properly shutdown

Martin Willi martin at strongswan.org
Thu Dec 2 11:36:27 CET 2010


Hi Benoit,

> 'CN=game.foo.com' already has an online lease, unable to assign address

> Is there a way to force the IP address assignment for the new tunnel in
> this case?

No, currently not. The address is reserved, and the daemon won't assign
it twice.

The ipsec.conf uniqueids option won't work either, as it gracefully
negotiates the shutdown of the old tunnel. As the peer won't respond on
this SA, this takes several retransmits.

This is a good case where the INITIAL_CONTACT notify could delete the
old SA, but we currently do not support it.

One option is to set leftsourceip on the client to the specific IP, the
server will reassign it in this case. But this probably won't solve the
problem, you'll have a conflict between the old and the new CHILD_SA.

The only solution I currently see is to use a larger pool with multiple
addresses.

Regards
Martin





More information about the Users mailing list