[vpn-help] Timeouts?

kevin shrew-vpn klmlk at hotmail.com
Fri Jul 30 06:53:32 CDT 2010


On Fri, 30 Jul 2010 00:54:31 -0500
Matthew Grooms <mgrooms at shrew.net> wrote:

> I assume the .43 
> through .46 addresses are the ones being assigned to the client
> virtual adapter interface via modecfg. However, there is no
> additional request for a virtual address past the initial phase1
> negotiation. 

Yes, .43 through .46 are the virtual adapter addresses.  On the client
side, it has no idea that the gateway is using a new address.  The
installed security policies stay the same.

> If the user had
> a session open of any kind, it would die since the adapter would have
> to be re-assigned a new address. 

It gets better.  After the phase2 lifetime expires, if the phase1 has
been renewed (ie the gateway has assigned a new IP), any new phase2 SA
fails (cannot send traffic, although SA reaches MATURE state).  But, if
I set the phase2 lifetime to be longer than the phase1 lifetime, I can
continue to send traffic using the original virtual address for the
lifetime of the phase2, even after the phase1 re-negotiation has
resulted in a new IP being assigned on the gateway side.

> 
> Have you spoken to Aruba support about this?
> 

Not yet, but I shall.  I hoped that you might have a quicker
solution. :)




More information about the vpn-help mailing list