From: Norbert Wegener (nw_at_sbs.de)
Date: Wed Jul 31 2002 - 23:49:08 CEST
Hello Andreas,
first of all: Thanks for the explanation.
Andreas Steffen schrieb:
>
> Well, if you have set keylife=24h then it is just normal behaviour
> to keep the eroute for at least this time frame. The problem
> will always occur when a different user logs in with an IP
> for which an eroute is still in use.
But another question arises: Why can the existing eroute not be taken
down in this case?
If you have a limited pool of ipaddresses for your customers and no
client with delete notification, you will probably run in a problem like
this one.
Regards
Norbert
The only solution is
> either to reduce the keylife sufficiently so that the probability
> of another user getting the lease of the same IP before the
> IPsec SA expires becomes small enough or as an alternative to
> implement support of delete notifications (if the VPN client
> generates them) so that the IPsec SA and the corresponding eroute
> is automatically deleted when the client disconnects.
>
> Regards
>
> Andreas
-- Norbert Wegener Phone : (49) 201 2661 379 SBS Essen Fax: (49) 201 2661 377 Germany Mail: nw_at_sbs.de http://relax.sbs.de (intranet)
_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:35 CEST