[strongSwan] Issues observed with Server leases in road warrior configuration

Tobias Brunner tobias at strongswan.org
Thu Feb 12 12:22:27 CET 2015


Hi Sumit,

> Note that, strongswan version that I use is 4.3.6.

The reassign_online option was added with 5.1.0, but the default
behavior before that was actually to reassign online leases.  But only
if the client explicitly requested the same IP address it got assigned
earlier.  This was done for better interoperability during
reauthentication with third-party implementations, but we added the
option and disabled this behavior by default when we started to prevent
duplicate IPsec policies (see [1]).

Since your client obviously won't request the same address this does not
actually help in your case.  Please try the SQL plugin as mentioned by
Noel (another option might be to assign IP addresses via RADIUS, or
adding individual conn sections for each client).  In newer releases,
where, as mentioned, duplicate IPsec policies are not allowed this could
actually cause problems, though, if the old SA is still around.

> Also, there is nothing available on strongswan wiki wrt mem-pool.reassign_online option.

I've added documentation to the wiki and the man page.

Regards,
Tobias

[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7612a6e42



More information about the Users mailing list