[strongSwan] VPN on-demand blackholing for unaunthenticated users

kgardenia42 kgardenia42 at googlemail.com
Wed Nov 21 17:26:12 CET 2012


I'm using VPN on demand from IOS devices using IKEv1 and triggering on
all traffic.

A consequence of this is that if a user's client cert expires or if I
blacklist them then their device becomes wedged trying to reconnect to
the VPN because the domain is in "OnDemandMatchDomainsAlways".  Is
there a known workaround for this?  Ideally I'd like a non-auth'd user
to give up rather than keep trying.  Is there an alternate to
OnDemandMatchDomainsAlways which tries once and then gives up?

Note: I realize the above is an IOS VPN client issue and not a
Strongswan problem.

On a somewhat related point ... has anyone implemented anything like a
captive portal with Strongswan?  What I'd like is to have users on a
blacklist where rather than be banned from connecting they can connect
but (for example) I give them a different DNS server which resolves
everything to a webapp they have to engage with to renew their account
or whatever.  Can anyone make any sugggestions on how to accomplish
this with Strongswan?  I'm assuming some sort of plugin would have to
be involved.


More information about the Users mailing list