[strongSwan] How to handle duplicate client IDs?

Michael Schwartzkopff ms at sys4.de
Thu Oct 22 16:20:23 CEST 2020 

On 22.10.20 16:00, Grischa Stegemann wrote:
> Hello All
>
> We are connecting hardware IP phones with their built-in IPsec client
> to our strongSwan server.
> The phones can do IKEv2 with PSK plus EAP authentication.
>
> Everything is working fine until two "road warrior phones" happen do
> have the same RFC1918 IPv4 address within their corresponding local
> (home user) networks behind their individual NAT gateways.
>
> E.g. during IKE_AUTH we get
>
> looking for peer configs matching
> xxx.xxx.xxx.xxx[%any]...yyy.yyy.yyy.yyy[192.168.1.10]
>
> for the first client.
> Then the connection and the SA are built with '192.168.1.10' as the
> client's identifier.
>
> Now a second phone comes along with
> looking for peer configs matching
> xxx.xxx.xxx.xxx[%any]...zzz.zzz.zzz.zzz[192.168.1.10]
>
> After successful PSK and EAP authentication the new client gets a
> different virtual ip assigned, which is good, but then the duplicate
> SA kicks in:
>
> detected duplicate IKE_SA for '192.168.1.10', triggering delete for
> old IKE_SA
>
>
> I have tried uniqueids=no and uniqueids=never but this does not solve
> the problem. And I have to admit that I did not fully understand the
> use of this parameter. :-(
>
> Our ipsec.conf is rather simple:
>
> conn IKEv2-PSK-EAP
>     left=%any
>     leftid=@myhostname.mydomain
>     leftsubnet=0.0.0.0/0
>     leftauth=psk
>     rightsourceip=10.0.200.0/24
>     right=%any
>     rightid=%any
>     rightauth=eap-mschapv2
>     rightauth2=psk


Can you configure the phone to use anything else than its IP address for
identification. i.e. hostname? Logs?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201022/59102265/attachment.sig>

More information about the Users mailing list