[strongSwan] Allowing only one session per client certificate

Tobias Brunner tobias at strongswan.org
Mon Oct 22 10:34:27 CEST 2012


Hi,

> I initially imagined the participant ID was the combined "C", "O" and
> "CN" fields on the client certificate.  However, that doesn't seem to
> be the case.    So I'm gathering participant ID then defined as "ios"
> in this case?  i.e. what I reerred to as the "traffic selector" above?

No, if XAuth (IKEv1) or EAP (IKEv2) is used the username (or
EAP-Identity) must be unique as that will be used for uniqueness checks.
 The IKE identity (certificate DN in your case) will be ignored.

> Is there a configuration setting I can do to "clobber" (kick off) any
> existing sessions from the same client certificate (based on CN).  I
> thought that might be "uniqueids" but based on the above it seems not.

Yes, uniqueids is the right option but you will have to use different
XAuth credentials for each client.

Regards,
Tobias





More information about the Users mailing list