[strongSwan] Issues observed with Server leases in road warrior configuration
Kaur, Sumit (NSN - IN/Bangalore)
sumit.kaur at nsn.com
Thu Feb 12 13:10:55 CET 2015
Hi,
Individual client based conn sections cannot be added since the server do not know the identity of road warriors.
Wanted to check, for this use case(where server do not know its clients), would even Sql plugin provide any solution wrt assigning same virtual IP to a client always?
Thanks
Sumit
-----Original Message-----
From: ext Tobias Brunner [mailto:tobias at strongswan.org]
Sent: Thursday, February 12, 2015 4:52 PM
To: Kaur, Sumit (NSN - IN/Bangalore); ext Noel Kuntze; users at lists.strongswan.org
Subject: Re: [strongSwan] Issues observed with Server leases in road warrior configuration
Hi Sumit,
> Note that, strongswan version that I use is 4.3.6.
The reassign_online option was added with 5.1.0, but the default
behavior before that was actually to reassign online leases. But only
if the client explicitly requested the same IP address it got assigned
earlier. This was done for better interoperability during
reauthentication with third-party implementations, but we added the
option and disabled this behavior by default when we started to prevent
duplicate IPsec policies (see [1]).
Since your client obviously won't request the same address this does not
actually help in your case. Please try the SQL plugin as mentioned by
Noel (another option might be to assign IP addresses via RADIUS, or
adding individual conn sections for each client). In newer releases,
where, as mentioned, duplicate IPsec policies are not allowed this could
actually cause problems, though, if the old SA is still around.
> Also, there is nothing available on strongswan wiki wrt mem-pool.reassign_online option.
I've added documentation to the wiki and the man page.
Regards,
Tobias
[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7612a6e42
More information about the Users
mailing list