[strongSwan] Allowing only one session per client certificate

kgardenia42 kgardenia42 at googlemail.com
Fri Oct 19 19:41:15 CEST 2012


Hi,

I am using strongswan 5.0.1 and am testing with mobile (IOS) clients.

I am using pretty much the exact config from this recipe:
    http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29

All clients are hanging off one traffic selector (if that is the right
term) called "ios" as per the above URL.

In strongswan 5.0.1 I found that I had to set "uniqueids" to "never"
to allow multiple clients to connect.  Before that they seemed to
clobber each other.

uniqueids is defined as "whether a particular participant ID should be
kept unique".  It isn't fully clear how a participant id is defined.

Lets say I have these 2 connected clients:

         ios[31]: ESTABLISHED 2 minutes ago, 10.166.xxx.xxx[C=CH,
O=strongSwan, CN=vpn.xxx.com]...82.24.xxx.xxx[C=US, O=strongSwan,
CN=934aee6e-bed8-4f89-a6e9-6059a6cf1fbc]
....
         ios[30]: ESTABLISHED 4 minutes ago, 10.166.xxx.xxx[C=CH,
O=strongSwan, CN=vpn.xxx.com]...71.xxx.xxx.xxx[C=US, O=strongSwan,
CN=b089cc73-a89b-4ffa-b270-f6dee9e7cb95]

(as you can see each client cert has a uuid (client identifier) baked
into the CN field.

I initially imagined the participant ID was the combined "C", "O" and
"CN" fields on the client certificate.  However, that doesn't seem to
be the case.    So I'm gathering participant ID then defined as "ios"
in this case?  i.e. what I reerred to as the "traffic selector" above?

Secondly, I am having a problem whereby clients change IP address
(e.g. moving from WIFI to 3G), the old established session stays stuck
in "ipsec status" and new sessions from the user device are in a state
where they cannot make a connection.  A server restart allows them in.

Is there a configuration setting I can do to "clobber" (kick off) any
existing sessions from the same client certificate (based on CN).  I
thought that might be "uniqueids" but based on the above it seems not.

Let me know if I'm missing something fundamental.

Basically my high level question is: how can I allow only one session
per client cerfiicate and clobber any old ones on each newly
established connection?

Thanks.




More information about the Users mailing list