[strongSwan] virtual IP assignement fails if previous tunnel not properly shutdown

Benoit Foucher benoit at bittrap.com
Thu Dec 2 11:57:57 CET 2010

Hi Martin,

Thanks for your answer. 

It's not clear to me why using a larger pool would solve the problem. My pool is already quite large and has many addresses available. The gateway refuses to assign the virtual IP (be it the same or a new one) to the new tunnel because a virtual IP is already assigned for the peer identity and it thinks it's still online.

Do you know when strongSwan detects that the tunnel is dead and releases the lease for the IP otherwise?

Thanks again.


On Dec 2, 2010, at 11:36 AM, Martin Willi wrote:

> Hi Benoit,
>> 'CN=game.foo.com' already has an online lease, unable to assign address
>> Is there a way to force the IP address assignment for the new tunnel in
>> this case?
> No, currently not. The address is reserved, and the daemon won't assign
> it twice.
> The ipsec.conf uniqueids option won't work either, as it gracefully
> negotiates the shutdown of the old tunnel. As the peer won't respond on
> this SA, this takes several retransmits.
> This is a good case where the INITIAL_CONTACT notify could delete the
> old SA, but we currently do not support it.
> One option is to set leftsourceip on the client to the specific IP, the
> server will reassign it in this case. But this probably won't solve the
> problem, you'll have a conflict between the old and the new CHILD_SA.
> The only solution I currently see is to use a larger pool with multiple
> addresses.
> Regards
> Martin

More information about the Users mailing list