[strongSwan] How to handle duplicate client IDs?
Grischa Stegemann
gs at plusline.de
Thu Oct 22 16:00:52 CEST 2020
Hello All
We are connecting hardware IP phones with their built-in IPsec client to
our strongSwan server.
The phones can do IKEv2 with PSK plus EAP authentication.
Everything is working fine until two "road warrior phones" happen do
have the same RFC1918 IPv4 address within their corresponding local
(home user) networks behind their individual NAT gateways.
E.g. during IKE_AUTH we get
looking for peer configs matching
xxx.xxx.xxx.xxx[%any]...yyy.yyy.yyy.yyy[192.168.1.10]
for the first client.
Then the connection and the SA are built with '192.168.1.10' as the
client's identifier.
Now a second phone comes along with
looking for peer configs matching
xxx.xxx.xxx.xxx[%any]...zzz.zzz.zzz.zzz[192.168.1.10]
After successful PSK and EAP authentication the new client gets a
different virtual ip assigned, which is good, but then the duplicate SA
kicks in:
detected duplicate IKE_SA for '192.168.1.10', triggering delete for old
IKE_SA
I have tried uniqueids=no and uniqueids=never but this does not solve
the problem. And I have to admit that I did not fully understand the use
of this parameter. :-(
Our ipsec.conf is rather simple:
conn IKEv2-PSK-EAP
left=%any
leftid=@myhostname.mydomain
leftsubnet=0.0.0.0/0
leftauth=psk
rightsourceip=10.0.200.0/24
right=%any
rightid=%any
rightauth=eap-mschapv2
rightauth2=psk
eap_identity=%identity
We have no chance to change the behaviour of the VPN client in any way.
I think it would be great to use the eap_identity string provided from
the client as the rightid. But I have not found a way to achieve this.
Long story, short question:
Is there a way to workaround or decent solution for this edge case?
Regards
Grischa
More information about the Users
mailing list