[strongSwan] VPN works with only 1 remote client. second client logs in and disconnects the first.

Lawrence Chiu Lawrence_Chiu_TX3 at yahoo.com
Wed Nov 6 15:36:06 CET 2013


Thank you Tobias.  I could not use "uniqueids=no" because it was not 
supported by my version of Strongswan (4.5.2).  But using a different 
certificate on the Android client solved the problem.

Regards,
LawrenceC

On 11/6/2013 4:17 AM, Tobias Brunner wrote:
> Hi Lawrence,
>
> It's not the XAuth users but the certificate's DN that is equal and
> causes the deletion of the previous SA:
>
>> Nov  5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
>> #3: Peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=win7.mycompany.local'
>> Nov  5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
>> #3: crl not found
>> Nov  5 12:16:19 vmware-u003 pluto[27166]: "ios"[3] 166.147.65.85:28107
>> #3: certificate status unknown
>> Nov  5 12:16:19 vmware-u003 pluto[27166]: "ios"[4] 166.147.65.85:28107
>> #3: deleting connection "ios" instance with peer 166.147.65.85
>> {isakmp=#0/ipsec=#0}
> If you don't want to use different certificates for each client, you
> could try setting uniqueids=no in the "config setup" section in ipsec.conf.
>
> I don't know how pluto reacts to INITIAL_CONTACT notifies, but it could
> be that it deletes previous SAs anyway if it receives such a notify,
> despite the uniqueids=no setting.  If that's the case you'll have to use
> different certificates (i.e. different DNs) or update to strongSwan
> 5.0.1 or newer where charon supports the setting uniqueids=never, which
> forces it to ignore INITIAL_CONTACT notifies.
>
> Regards,
> Tobias
>





More information about the Users mailing list