[vpn-help] Timeouts?
kevin shrew-vpn
klmlk at hotmail.com
Fri Jul 30 06:53:32 CDT 2010
On Fri, 30 Jul 2010 00:54:31 -0500
Matthew Grooms <mgrooms at shrew.net> wrote:
> I assume the .43
> through .46 addresses are the ones being assigned to the client
> virtual adapter interface via modecfg. However, there is no
> additional request for a virtual address past the initial phase1
> negotiation.
Yes, .43 through .46 are the virtual adapter addresses. On the client
side, it has no idea that the gateway is using a new address. The
installed security policies stay the same.
> If the user had
> a session open of any kind, it would die since the adapter would have
> to be re-assigned a new address.
It gets better. After the phase2 lifetime expires, if the phase1 has
been renewed (ie the gateway has assigned a new IP), any new phase2 SA
fails (cannot send traffic, although SA reaches MATURE state). But, if
I set the phase2 lifetime to be longer than the phase1 lifetime, I can
continue to send traffic using the original virtual address for the
lifetime of the phase2, even after the phase1 re-negotiation has
resulted in a new IP being assigned on the gateway side.
>
> Have you spoken to Aruba support about this?
>
Not yet, but I shall. I hoped that you might have a quicker
solution. :)
More information about the vpn-help
mailing list