[strongSwan] (Vici) How to disconnect a VPN connection on the server side?

Houman houmie at gmail.com
Tue Oct 15 12:11:45 CEST 2019


Hello Tobias,

Thank you, for your help on this. I have managed to utilise eap-radius
plugin to listen to disconnect messages from Freeradius.

I get strange reporting in the logs. It seems that StrongSwan rejects the
initial disconnect message with a NAK.

(4) Sent Disconnect-Request Id 11 from 0.0.0.0:42481 to 127.0.0.1:3799
length 28
(4)   User-Name = "houman"
(4) Sent Accounting-Response Id 178 from 127.0.0.1:1813 to 127.0.0.1:51530
length 0
(4) Finished request
(4) Cleaning up request packet ID 178 with timestamp +6
Waking up in 2.1 seconds.
(4) Clearing existing &reply: attributes
(4) Received Disconnect-NAK Id 11 from 127.0.0.1:3799 to 127.0.0.1:42481
length 20

What attributes *should* be in the Disconnect-Request beside User-Name?  Is
there anything else I need to avoid getting a NAK from StrongSwan?

Many Thanks,
Houman


On Tue, 10 Sep 2019 at 12:02, Tobias Brunner <tobias at strongswan.org> wrote:

> Hi Houman,
>
> > Do you think that is possible to do via FreeRadius?
>
> See [1].
>
> > Just to be
> > clear there is always a 1:1 relationship between IKE_SA and a user at a
> > time, correct?
>
> Probably, that is, if you don't allow multiple IKE_SAs per user identity.
>
> > If I end an IKE_SA, I won't be kicking several users by
> > mistake?
>
> Not if you do so by unique ID (by name wouldn't be a good idea because
> all IKE_SAs by roadwarriors will share the name of the connection).
>
> > So in other words what
> > I'm trying to achieve is possible with Vici right?
>
> Yes.
>
> Regards,
> Tobias
>
> [1]
>
> https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Session-Timeout-and-Dynamic-Authorization-Extension
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191015/f82a2180/attachment.html>


More information about the Users mailing list