On Fri, 30 Jul 2010 00:54:31 -0500 Matthew Grooms <[email protected]> wrote:
> I assume the .43 > through .46 addresses are the ones being assigned to the client > virtual adapter interface via modecfg. However, there is no > additional request for a virtual address past the initial phase1 > negotiation. Yes, .43 through .46 are the virtual adapter addresses. On the client side, it has no idea that the gateway is using a new address. The installed security policies stay the same. > If the user had > a session open of any kind, it would die since the adapter would have > to be re-assigned a new address. It gets better. After the phase2 lifetime expires, if the phase1 has been renewed (ie the gateway has assigned a new IP), any new phase2 SA fails (cannot send traffic, although SA reaches MATURE state). But, if I set the phase2 lifetime to be longer than the phase1 lifetime, I can continue to send traffic using the original virtual address for the lifetime of the phase2, even after the phase1 re-negotiation has resulted in a new IP being assigned on the gateway side. > > Have you spoken to Aruba support about this? > Not yet, but I shall. I hoped that you might have a quicker solution. :) _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
