[Swan] running out of ip addresses

Paul Wouters paul at nohats.ca
Tue Jan 31 22:14:01 UTC 2017


Oh, with uniqueids set to no, old clients cannot be distinguished from new clients, so a new lease is given. If the clients vanish without sending a delete. That IP is locked for the salifetime (8h ?)  if not using dpd.

Sent from my iPhone

> On Jan 31, 2017, at 16:46, Dynastic Space <dynasticspace at gmail.com> wrote:
> 
> We are running libreswan version 3.14. We have only 3 users using the system, all have their "Connect on Demand" set to yes. After 2 days 200 ips are allocated and not returned to the pool.
> 
> Here is the configuration:
> 
> config setup
>   protostack=netkey
>  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
>   uniqueids=no
>   plutostderrlog=/var/log/libreswan
> conn xauth-psk
>     authby=secret
>     pfs=no
>     auto=add
>     rekey=no
>     left=%defaultroute
>     leftsubnet=0.0.0.0/0
>     rightaddresspool=10.231.247.10-10.231.247.254
>     right=%any
>     cisco-unity=yes
>     modecfgdns1=aaa.bbb.ccc.ddd
>     leftxauthserver=yes
>     rightxauthclient=yes
>     leftmodecfgserver=yes
>     rightmodecfgclient=yes
>     modecfgpull=yes
>     xauthby=file
>     ike-frag=yes
>     ikev2=never
> 
> with 'uniqueids=no' we are running out of ips.
> when we set uniqueids to 'yes', we seem to be stable.
> 
> I encountered this post: https://lists.libreswan.org/pipermail/swan/2016/001731.html, stating that uinqueids=yes should not be used with authby=secret. 
> 
> Do you have a recommendation? Could you explain why we are running out of those ips?
> 
> Thanks
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170131/9be93ebb/attachment.html>


More information about the Swan mailing list