Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 5435 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPP.txt - two questions

GNyce

1) is there a way to the "ifconfig-pool-persist /var/run/ipp.txt" option?

2) more importantly I guess... what happens when the IPP.txt is full?  In other words... does your allocated subnet have to be larger than the number of employees?

Let's say that I have 100 employees.  If I use a /24, that will only give me 64 addresses.  But that is 64 "concurrent" IP addresses at 1 time.  However, b/c of the "pool-persist" option, if every user connects _at some point_, that entire block of 64 will be allocated.  So what happens when user No. 65 tries to connect?  Let's say that only 5 other users are currently connected, so there are plenty of IPs that could be used, but with the pool-persist on and the IPP.txt... will they actually get an IP and a connection?



This thread was automatically locked due to age.
  • 0

    The persistence seems to be set at eight hours (cat /var/chroot-openvpn/etc/openvpn/openvpn.conf-default).  If you might have over 63 try to connect in any 8-hour period, you might indeed want to expand the pool to a /23 that doesn't overlap with any other VPN Pool in use.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    The persistence seems to be set at eight hours (cat /var/chroot-openvpn/etc/openvpn/openvpn.conf-default).  If you might have over 63 try to connect in any 8-hour period, you might indeed want to expand the pool to a /23 that doesn't overlap with any other VPN Pool in use.

    Cheers - Bob

    Thanks Bob - can you clarify what you mean?  For example, I'm already using a /23 - which means a total of 126 concurrent, BUT I'm more talking about having over 126 people connect over the course of weeks/months.  The IPP.txt never appears to get cleared out/purged... and manually editing and removing lines, does not appear to make a difference.  What does "8 hours" mean?  I see no reference to that in the openvpn.conf-default or openvpn.conf... just "ifconfig-pool-persist /var/run/ipp.txt" 
  • 0 in reply to GNyce

    You're right, so I [:P] looked at the man page...

    --ifconfig-pool-persist file [seconds]
    Persist/unpersist ifconfig-pool data to file, at seconds intervals
    (default=600), as well as on program startup and shutdown.

    Apparently, the UTM uses the default of 10 minutes, so you should be fine.

    Cheers - Bob

    PS Just a thought - the SSL VPN is very compute-intensive.  I would urge you to consider using L2TP/IPsec if you expect to have dozens of folks connected and working simultaneously.  You should discuss this with your reseller or Sophos Support.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Excellent, thank you Bob - did not know that.

    At what numbers would you expect to see issues with SSL VPN?  We're running a little over 40 concurrent tunnels with no apparent CPU/utilization issues...

Unfiltered HTML