Re: [strongSwan] temporarily disable a road warrior user
Hi Karl, How can I temporarily disable the user, without revoking the certificate, can I do that? Do I revoke it, and to re-enable by removing it from the CRL? Is there an easier way? Setting the certificate on-hold is certainly an option, using a CRL or even better an OCSP service. Alternatively, you may consider using the whitelist [1] plugin. Once enabled, the plugin allows connections only from explicitly specified users. It requires that you maintain a complete list of allowed users (not those blocked). Regards Martin [1]http://wiki.strongswan.org/projects/strongswan/wiki/Whitelist ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] temporarily disable a road warrior user
Hi Karl, --On Tuesday, February 18, 2014 06:24:46 PM +0100 Karl Hiramoto k...@hiramoto.org wrote: I have multiple road warriors with their own certificates. How can I temporarily disable the user, without revoking the certificate, can I do that? I assume you don't have an unique entry for every user in your ipsec.conf, so that you simply could disable this config? Do I revoke it, and to re-enable by removing it from the CRL? Is there an easier way? Reenabling a revoked certificate is not a good idea. You could add a specific config for his connection for example: conn tempdis authby=rsasig right=%any rightid=@certificatename rightauth2=xauth auto=add I think this specific config should win over a catchall. rightauth2=xauth would require a 2nd auth before establishing the tunnel. So if you put tempdis : XAUTH noentryhere in your ipsec.secrets he couldn't log in without knowing the secret and the connection would fail. I'm not a 100% shure of this solution could anyone comment if it works this way? Dirk ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] temporarily disable a road warrior user
I have multiple road warriors with their own certificates. How can I temporarily disable the user, without revoking the certificate, can I do that? Do I revoke it, and to re-enable by removing it from the CRL? Is there an easier way? Thanks, Karl ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users