[strongSwan] Query regarding ipsec pool

Tobias Brunner tobias at strongswan.org
Wed Jun 3 13:50:15 CEST 2015

Hi Divya,

> Is 'offline' applicable only when timeout is 0?

No, if timeout is 0 dynamic leases are disabled and every lease will
have the status 'static'.  The status 'offline' does not really exist,
instead 'valid is the status of a lease that the client is currently not
using (which would be signified by the status 'online') but is still
within the configured timeout.  'expired' is an offline lease that is
outside of the configured timeout.

> Will offline/expired addresses be released so that it will be provided
> to other clients?

Yes, expired leases will be reassigned to other clients.

> Client established connection:
>     # date --utc; ipsec pool --leases --utc
>    Wed Jun  3 07:00:35 UTC 2015
>     name     address         status   start                     end
>                    identity
>     bigpool      online   (null) 15 09:04:32 1803625851

The timestamp is printed by a function that uses gmtime_r() to split a
timestamp into parts (struct tm).  That "(null)" is printed as name of
the month indicates that tm_mon contains a value outside the range of 0
to 11.  The value in tm_year (1803625851) is also suspicious.  It looks
as if the struct tm instance is not properly initialized.  Maybe
gmtime_r() fails but for some reason does not return NULL.  You might
want to look into that (the function is called time_printf_hook(),
either in utils.c or utils/time.c, depending on the codebase you are using).

>  However, the functionality is working fine - the address was marked
> expired exactly after one hour, just that the output is not
> understandable.

Yes, I think this is mainly a cosmetic issue in the pool utility.
Expiration is otherwise handled directly via SQL (and address assignment
is handled in the attr-sql plugin anyway).


More information about the Users mailing list