[Swan] running out of ip addresses
Paul Wouters
paul at nohats.ca
Tue Jan 31 22:14:01 UTC 2017
Oh, with uniqueids set to no, old clients cannot be distinguished from new clients, so a new lease is given. If the clients vanish without sending a delete. That IP is locked for the salifetime (8h ?) if not using dpd.
Sent from my iPhone
> On Jan 31, 2017, at 16:46, Dynastic Space <dynasticspace at gmail.com> wrote:
>
> We are running libreswan version 3.14. We have only 3 users using the system, all have their "Connect on Demand" set to yes. After 2 days 200 ips are allocated and not returned to the pool.
>
> Here is the configuration:
>
> config setup
> protostack=netkey
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
> uniqueids=no
> plutostderrlog=/var/log/libreswan
> conn xauth-psk
> authby=secret
> pfs=no
> auto=add
> rekey=no
> left=%defaultroute
> leftsubnet=0.0.0.0/0
> rightaddresspool=10.231.247.10-10.231.247.254
> right=%any
> cisco-unity=yes
> modecfgdns1=aaa.bbb.ccc.ddd
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> xauthby=file
> ike-frag=yes
> ikev2=never
>
> with 'uniqueids=no' we are running out of ips.
> when we set uniqueids to 'yes', we seem to be stable.
>
> I encountered this post: https://lists.libreswan.org/pipermail/swan/2016/001731.html, stating that uinqueids=yes should not be used with authby=secret.
>
> Do you have a recommendation? Could you explain why we are running out of those ips?
>
> Thanks
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170131/9be93ebb/attachment.html>
More information about the Swan
mailing list