On 7/28/2010 9:35 PM, kevin shrew-vpn wrote:
On Wed, 28 Jul 2010 20:41:44 -0500
Matthew Grooms<[email protected]> wrote:
Is assigning a new IP normal/permitted? Or is this a sign that I
haven't quite got the configs right between the client and gateway?
For what it's worth, the client is only able to connect if it is
set to 'ike config pull'.
Hmmm. Odd that it would assign a different address after an ISAKMP SA
renegotiation. A replacement SA is required when the original
expires. Depending on the gateway, this involves another Xauth and an
additional modecfg negotiation as well. What kind of gateway do you
use?
Hi Matthew, the gateway in question is an Aruba wireless controller.
I'll send you some logs in a direct email.
Hi Kevin,
I had a look at the logs you sent me. Although I'm not that familiar
with Aruba products or deciphering their log output, I assume the .43
through .46 addresses are the ones being assigned to the client virtual
adapter interface via modecfg. However, there is no additional request
for a virtual address past the initial phase1 negotiation. Why the
router would assume a new address should be allocated for the client is
beyond my comprehension. If the user had a session open of any kind, it
would die since the adapter would have to be re-assigned a new address.
There is a way to request a specific address using modecfg, assuming the
Aruba gateway requires this after phase1 renegotiation. However, since
the gateway allocated the new address before modecfg would occur, I
don't see any way the client could be modified to correct the issue you
are experiencing.
Have you spoken to Aruba support about this?
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
