[strongSwan] (Vici) How to disconnect a VPN connection on the server side?

Houman houmie at gmail.com
Tue Oct 15 14:20:29 CEST 2019 

Hi Tobias,

That's great news.  You are right, I can see those entries in sys logs. But
there is still a strange issue. At 12:09:27 despite the initial disconnect
request and acknowledgement, StrongSwan doesn't disconnect the user.

Oct 15 12:09:27 stag-1 charon: 05[CFG] reassigning offline lease to 'houman'

Oct 15 12:09:27 stag-1 charon: 05[IKE] assigning virtual IP
xxxx:54c4:xxxx:1::301 to peer 'houman'

Oct 15 12:09:27 stag-1 charon: 05[IKE] CHILD_SA stag-1{26} established with
SPIs c8a04ba5_i 041b28de_o and TS 0.0.0.0/0 ::/0 === 10.10.10.1/32
xxx:54c4:4c90:1::301/128

Oct 15 12:09:27 stag-1 charon: 05[CFG] sending RADIUS Accounting-Request to
server 'server-a'

Oct 15 12:09:27 stag-1 charon: 13[CFG] received RADIUS DAE
Disconnect-Request for houman from 127.0.0.1

Oct 15 12:09:27 stag-1 charon: 13[CFG] no IKE_SA matches
Disconnect-Request, sending Disconnect-NAK

Oct 15 12:09:27 stag-1 charon: 05[CFG] received RADIUS Accounting-Response
from server 'server-a'

Oct 15 12:09:27 stag-1 charon: 05[ENC] generating IKE_AUTH response 6 [
AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]

Oct 15 12:09:27 stag-1 charon: 05[NET] sending packet: from
172.31.X.X[4500] to 5.78.X.X[4500] (352 bytes)


10 seconds later (because of the Acct-Interim-Interval) a second disconnect
request is sent.


post-auth {

update reply {

Acct-Interim-Interval = 10

}

}


Oct 15 12:09:37 stag-1 charon: 16[CFG] sending RADIUS Accounting-Request to
server 'server-a'

Oct 15 12:09:37 stag-1 charon: 07[CFG] received RADIUS DAE
Disconnect-Request for houman from 127.0.0.1

Oct 15 12:09:37 stag-1 charon: 07[CFG] closing 1 IKE_SA matching
Disconnect-Request, sending Disconnect-ACK

Oct 15 12:09:37 stag-1 charon: 07[IKE] deleting IKE_SA stag-1[35] between
172.31.xx.xx[stag-1.xxx.com]…5.78.xxx.xx[stag-1.xxx.com]

Oct 15 12:09:37 stag-1 charon: 07[IKE] sending DELETE for IKE_SA stag-1[35]

Oct 15 12:09:37 stag-1 charon: 07[ENC] generating INFORMATIONAL request 0 [
D ]

Oct 15 12:09:37 stag-1 charon: 07[NET] sending packet: from
172.31.xx.xx[4500] to 5.78.xx.xx[4500] (80 bytes)

Oct 15 12:09:37 stag-1 charon: 16[CFG] received RADIUS Accounting-Response
from server 'server-a'

Oct 15 12:09:37 stag-1 charon: 06[NET] received packet: from
5.78.xx.xx[4500] to 172.31.xx.xx[4500] (80 bytes)

Oct 15 12:09:37 stag-1 charon: 06[ENC] parsed INFORMATIONAL response 0 [ ]

Oct 15 12:09:37 stag-1 charon: 06[IKE] IKE_SA deleted

Oct 15 12:09:37 stag-1 charon: 06[CFG] sending RADIUS Accounting-Request to
server 'server-a'

Oct 15 12:09:37 stag-1 charon: 11[CFG] received RADIUS DAE
Disconnect-Request for houman from 127.0.0.1

Oct 15 12:09:37 stag-1 charon: 11[CFG] no IKE_SA matches
Disconnect-Request, sending Disconnect-NAK

Oct 15 12:09:37 stag-1 charon: 06[CFG] received RADIUS Accounting-Response
from server 'server-a'

Oct 15 12:09:37 stag-1 charon: 06[CFG] lease fdd2:54c4:4c90:1::301 by
'houman' went offline

Oct 15 12:09:37 stag-1 charon: 06[CFG] lease 10.10.10.1 by 'houman' went
offline

Only this time it actually works and the user is disconnected.  Why isn't
it working the first time around?

Many Thanks,
Houman

On Tue, 15 Oct 2019 at 15:34, Tobias Brunner <tobias at strongswan.org> wrote:

> Hi Houman,
>
> > What attributes *should* be in the Disconnect-Request beside User-Name?
>
> None, that's fine.  If you receive a NAK that means no IKE_SA was found
> with a matching remote identity.  You should see something like this in
> the strongSwan log:
>
> > received RADIUS DAE Disconnect-Request for houman from 127.0.0.1
> > no IKE_SA matches houman, sending Disconnect-NAK
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191015/96eeb78d/attachment-0001.html>

More information about the Users mailing list