Oh, with uniqueids set to no, old clients cannot be distinguished from new clients, so a new lease is given. If the clients vanish without sending a delete. That IP is locked for the salifetime (8h ?) if not using dpd.
Sent from my iPhone > On Jan 31, 2017, at 16:46, Dynastic Space <[email protected]> wrote: > > We are running libreswan version 3.14. We have only 3 users using the system, > all have their "Connect on Demand" set to yes. After 2 days 200 ips are > allocated and not returned to the pool. > > Here is the configuration: > > config setup > protostack=netkey > > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24 > uniqueids=no > plutostderrlog=/var/log/libreswan > conn xauth-psk > authby=secret > pfs=no > auto=add > rekey=no > left=%defaultroute > leftsubnet=0.0.0.0/0 > rightaddresspool=10.231.247.10-10.231.247.254 > right=%any > cisco-unity=yes > modecfgdns1=aaa.bbb.ccc.ddd > leftxauthserver=yes > rightxauthclient=yes > leftmodecfgserver=yes > rightmodecfgclient=yes > modecfgpull=yes > xauthby=file > ike-frag=yes > ikev2=never > > with 'uniqueids=no' we are running out of ips. > when we set uniqueids to 'yes', we seem to be stable. > > I encountered this post: > https://lists.libreswan.org/pipermail/swan/2016/001731.html, stating that > uinqueids=yes should not be used with authby=secret. > > Do you have a recommendation? Could you explain why we are running out of > those ips? > > Thanks > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
