[Swan] running out of ip addresses
Dynastic Space
dynasticspace at gmail.com
Tue Jan 31 21:46:41 UTC 2017
We are running libreswan version 3.14. We have only 3 users using the
system, all have their "Connect on Demand" set to yes. After 2 days 200 ips
are allocated and not returned to the pool.
Here is the configuration:
config setup
protostack=netkey
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
uniqueids=no
plutostderrlog=/var/log/libreswan
conn xauth-psk
authby=secret
pfs=no
auto=add
rekey=no
left=%defaultroute
leftsubnet=0.0.0.0/0
rightaddresspool=10.231.247.10-10.231.247.254
right=%any
cisco-unity=yes
modecfgdns1=aaa.bbb.ccc.ddd
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
ikev2=never
with 'uniqueids=no' we are running out of ips.
when we set uniqueids to 'yes', we seem to be stable.
I encountered this post:
https://lists.libreswan.org/pipermail/swan/2016/001731.html, stating that
uinqueids=yes should not be used with authby=secret.
Do you have a recommendation? Could you explain why we are running out of
those ips?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170131/08c071dc/attachment.html>
More information about the Swan
mailing list