[strongSwan] updown - server which disconnects one roadworrior when another connects
lejeczek
peljasz at yahoo.co.uk
Mon Sep 28 14:31:23 CEST 2020
On 28/09/2020 10:52, Tobias Brunner wrote:
> Hi,
>
>> up-client is called for each combination of remote ts and local ts components, as is down-client, when a CHILD_sa is established/destroyed.
>> So when a CHILD_SA is rekeyed, both are called in the order the CHILD_SAs are negotiated/destroyed.
> The updown script is *not* called for IKE or CHILD_SA rekeyings.
> However, if reauthentication is used with IKEv2, the script will be
> called as new CHILD_SA are created. A down-event will be called either
> before or after the reauthentication and the corresponding up-event
> depending on whether make-before-break reauthentication is used by the
> client, see [1].
>
> By the way, the VICI interface does expose the ike/child-rekey events.
> But reauthentication is not handled differently.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
Thanks. Okey, if I may repeat my question - Is that behavior
controllable somehow, configured somewhere or it's all on
the script?
In case config does the trick - here is what I have on
server's end:
connections {
jatymy {
version = 2
dpd_delay = 300s
fragmentation = "yes"
pools = "dhcp"
local {
certs = "jatymy-vpnserver.cert.der"
id = "%any"
}
remote {
}
children {
jatymy {
updown = "/usr/libexec/strongswan/vti-iface server"
mark_in = 11
mark_out = 11
local_ts = "10.3.1.0/24"
start_action = "start"
mode = pass
}
}
}
}
many thanks, L.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200928/b43bfd20/attachment.key>
More information about the Users
mailing list