[strongSwan] (Vici) How to disconnect a VPN connection on the server side?

Tobias Brunner tobias at strongswan.org
Tue Oct 15 14:46:07 CEST 2019

Hi Houman,

> That's great news.  You are right, I can see those entries in sys logs.
> But there is still a strange issue. At 12:09:27 despite the initial
> disconnect request and acknowledgement, StrongSwan doesn't disconnect
> the user.

You can't use this method for IKE_SAs that are concurrently being
established.  Such IKE_SAs are locked and, thus, skipped by the
Disconnect handler.  This particular IKE_SA is waiting for the
EAP-Accounting response and until that's received and the IKE_AUTH
response has been sent, the IKE_SA can't be closed via this code path.
It also affects SAs later if they are locked for some reason (e.g.
handling rekeyings or DPDs, but not interim Accounting updates as the SA
is unlocked before sending those).  So perhaps the RADIUS server could
retry sending the Disconnect message if it still has state around for
the user but received a NAK (or delay sending the Disconnect for a bit).
 Ideally you'd handle authentication via RADIUS so you could reject
users immediately.


More information about the Users mailing list