[strongSwan] VPN works with only 1 remote client. second client logs in and disconnects the first.
Tobias Brunner
tobias at strongswan.org
Wed Nov 6 11:17:30 CET 2013
Hi Lawrence,
It's not the XAuth users but the certificate's DN that is equal and
causes the deletion of the previous SA:
> Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
> #3: Peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=win7.mycompany.local'
> Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
> #3: crl not found
> Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
> #3: certificate status unknown
> Nov 5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:28107
> #3: deleting connection "ios" instance with peer 166.147.65.85
> {isakmp=#0/ipsec=#0}
If you don't want to use different certificates for each client, you
could try setting uniqueids=no in the "config setup" section in ipsec.conf.
I don't know how pluto reacts to INITIAL_CONTACT notifies, but it could
be that it deletes previous SAs anyway if it receives such a notify,
despite the uniqueids=no setting. If that's the case you'll have to use
different certificates (i.e. different DNs) or update to strongSwan
5.0.1 or newer where charon supports the setting uniqueids=never, which
forces it to ignore INITIAL_CONTACT notifies.
Regards,
Tobias
More information about the Users
mailing list