Am 20.05.19 um 14:59 schrieb Tobias Brunner: > Hi Sven, > > You explicitly disabled handling of INITIAL_CONTACT notifies with > uniqueids=never. So existing IKE_SAs with the same client identity will > not be terminated when a new IKE_SA is created, which also means the > existing virtual IP is not released. Since the same virtual IP can't be > assigned to multiple clients, a new virtual IP is allocated instead. > > Also, reducing the DPD timeout on servers with mobile clients is not > that good an idea as it prevents clients from roaming between networks > (or being without connectivity for a while due to other reasons) and > updating the exiting IKE_SA via MOBIKE afterwards.
Hello Tobias!
Thanks for the answer. We set "uniqueids" to "never" to allow simultaneous
connections with the same user account. For instance a simultaneous login
from the iPhone and the iPad.
If this "uniqueness" is only determined by the login username and not
further data (like a mac address or name of the connecting device), I see
that this will not work.
Or do you have any other ideas to make this work?
Regards
Sven Anders
--
Sven Anders <and...@anduras.de> () UTF-8 Ribbon Campaign
/\ Support plain text e-mail
ANDURAS intranet security AG
Messestrasse 3 - 94036 Passau - Germany
Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin
<<attachment: anders.vcf>>
