Hi Houman,
> That's great news. You are right, I can see those entries in sys logs.
> But there is still a strange issue. At 12:09:27 despite the initial
> disconnect request and acknowledgement, StrongSwan doesn't disconnect
> the user.
You can't use this method for IKE_SAs that are
Hi Tobias,
That's great news. You are right, I can see those entries in sys logs. But
there is still a strange issue. At 12:09:27 despite the initial disconnect
request and acknowledgement, StrongSwan doesn't disconnect the user.
Oct 15 12:09:27 stag-1 charon: 05[CFG] reassigning offline lease
Hi Houman,
> What attributes *should* be in the Disconnect-Request beside User-Name?
None, that's fine. If you receive a NAK that means no IKE_SA was found
with a matching remote identity. You should see something like this in
the strongSwan log:
> received RADIUS DAE Disconnect-Request for
Hello Tobias,
Thank you, for your help on this. I have managed to utilise eap-radius
plugin to listen to disconnect messages from Freeradius.
I get strange reporting in the logs. It seems that StrongSwan rejects the
initial disconnect message with a NAK.
(4) Sent Disconnect-Request Id 11 from
Hi Houman,
> Do you think that is possible to do via FreeRadius?
See [1].
> Just to be
> clear there is always a 1:1 relationship between IKE_SA and a user at a
> time, correct?
Probably, that is, if you don't allow multiple IKE_SAs per user identity.
> If I end an IKE_SA, I won't be kicking
Hello Tobias,
Thank you for your reply.
Not directly (at least not via vici, it might be possible via RADIUS,
> depending on the RADIUS server).
>
This is concerning if this wasn't possible. I have FreeRadius 3.0.16, maybe
I should explain the use case I'm trying to achieve.
I have setup a
Hi Houman,
> Is there is a way to disconnect a specific strongswan user from the
> command line?
Not directly (at least not via vici, it might be possible via RADIUS,
depending on the RADIUS server).
> I have found the Vici plugin, but there is no documentation whatsoever.
What do you mean?
