[strongSwan] Allowing only one session per client certificate

kgardenia42 kgardenia42 at googlemail.com
Mon Oct 22 17:14:35 CEST 2012


On Mon, Oct 22, 2012 at 9:34 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi,
>
>> I initially imagined the participant ID was the combined "C", "O" and
>> "CN" fields on the client certificate.  However, that doesn't seem to
>> be the case.    So I'm gathering participant ID then defined as "ios"
>> in this case?  i.e. what I reerred to as the "traffic selector" above?
>
> No, if XAuth (IKEv1) or EAP (IKEv2) is used the username (or
> EAP-Identity) must be unique as that will be used for uniqueness checks.
>  The IKE identity (certificate DN in your case) will be ignored.
>
>> Is there a configuration setting I can do to "clobber" (kick off) any
>> existing sessions from the same client certificate (based on CN).  I
>> thought that might be "uniqueids" but based on the above it seems not.
>
> Yes, uniqueids is the right option but you will have to use different
> XAuth credentials for each client.

If I were to use rsasig rather than xauthrsasig then does the "DN" of
the client certificate become the key for uniqueness checks?

I'm wondering if IOS devices will allow rsasig over xauthrsasig.  I
guess I need to try it.

Colm




More information about the Users mailing list