[prev in list] [next in list] [prev in thread] [next in thread]
List: libreswan
Subject: Re: [Swan] running out of ip addresses
From: Paul Wouters <paul () nohats ! ca>
Date: 2017-01-31 22:14:01
Message-ID: 10EB9ECE-8780-49D9-8689-071C22551769 () nohats ! ca
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Oh, with uniqueids set to no, old clients cannot be distinguished from new clients, \
so a new lease is given. If the clients vanish without sending a delete. That IP is \
locked for the salifetime (8h ?) if not using dpd.
Sent from my iPhone
> On Jan 31, 2017, at 16:46, Dynastic Space <dynasticspace@gmail.com> wrote:
>
> We are running libreswan version 3.14. We have only 3 users using the system, all \
> have their "Connect on Demand" set to yes. After 2 days 200 ips are allocated and \
> not returned to the pool.
> Here is the configuration:
>
> config setup
> protostack=netkey
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
> uniqueids=no
> plutostderrlog=/var/log/libreswan
> conn xauth-psk
> authby=secret
> pfs=no
> auto=add
> rekey=no
> left=%defaultroute
> leftsubnet=0.0.0.0/0
> rightaddresspool=10.231.247.10-10.231.247.254
> right=%any
> cisco-unity=yes
> modecfgdns1=aaa.bbb.ccc.ddd
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> xauthby=file
> ike-frag=yes
> ikev2=never
>
> with 'uniqueids=no' we are running out of ips.
> when we set uniqueids to 'yes', we seem to be stable.
>
> I encountered this post: \
> https://lists.libreswan.org/pipermail/swan/2016/001731.html, stating that \
> uinqueids=yes should not be used with authby=secret.
> Do you have a recommendation? Could you explain why we are running out of those \
> ips?
> Thanks
>
> _______________________________________________
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>Oh, with uniqueids set to no, old clients \
cannot be distinguished from new clients, so a new lease is given. If the clients \
vanish without sending a delete. That IP is locked for the salifetime (8h ?) if \
not using dpd.<br><br>Sent from my iPhone</div><div><br>On Jan 31, 2017, at 16:46, \
Dynastic Space <<a \
href="mailto:dynasticspace@gmail.com">dynasticspace@gmail.com</a>> \
wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">We are running \
libreswan version 3.14. We have only 3 users using the system, all have their \
"Connect on Demand" set to yes. After 2 days 200 ips are allocated and not returned \
to the pool.<div><br><div>Here is the \
configuration:</div><div><br></div><div><div>config setup</div><div> \
protostack=netkey</div><div> virtual_private=%v4:<a \
href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.23 \
1.247.0/24,%v4:!10.231.246.0/24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24</a><br></div><div> \
uniqueids=no<br></div><div> plutostderrlog=/var/log/libreswan</div><div>conn \
xauth-psk<br></div><div> authby=secret</div><div> \
pfs=no</div><div> auto=add</div><div> \
rekey=no</div><div> left=%defaultroute</div><div> \
leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> \
rightaddresspool=10.231.247.10-10.231.247.254</div><div> \
right=%any</div><div> cisco-unity=yes<br></div><div> \
modecfgdns1=aaa.bbb.ccc.ddd<br></div><div> \
leftxauthserver=yes</div><div> rightxauthclient=yes</div><div> \
leftmodecfgserver=yes</div><div> \
rightmodecfgclient=yes</div><div> modecfgpull=yes</div><div> \
xauthby=file</div><div> ike-frag=yes<br></div><div> \
ikev2=never</div></div><div><br></div><div>with 'uniqueids=no' we are running out of \
ips.</div><div>when we set uniqueids to 'yes', we seem to be \
stable.</div><div><br></div><div>I encountered this post: <a \
href="https://lists.libreswan.org/pipermail/swan/2016/001731.html">https://lists.libreswan.org/pipermail/swan/2016/001731.html</a>, \
stating that uinqueids=yes should not be used with \
authby=secret. </div><div><br></div><div>Do you have a recommendation? Could you \
explain why we are running out of those \
ips?</div><div><br></div><div>Thanks</div><div><br></div></div></div> \
</div></blockquote><blockquote \
type="cite"><div><span>_______________________________________________</span><br><span>Swan \
mailing list</span><br><span><a \
href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br><span><a \
href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></body></html>
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic