Hi, I'm using VPN on demand from IOS devices using IKEv1 and triggering on all traffic.
A consequence of this is that if a user's client cert expires or if I blacklist them then their device becomes wedged trying to reconnect to the VPN because the domain is in "OnDemandMatchDomainsAlways". Is there a known workaround for this? Ideally I'd like a non-auth'd user to give up rather than keep trying. Is there an alternate to OnDemandMatchDomainsAlways which tries once and then gives up? Note: I realize the above is an IOS VPN client issue and not a Strongswan problem. On a somewhat related point ... has anyone implemented anything like a captive portal with Strongswan? What I'd like is to have users on a blacklist where rather than be banned from connecting they can connect but (for example) I give them a different DNS server which resolves everything to a webapp they have to engage with to renew their account or whatever. Can anyone make any sugggestions on how to accomplish this with Strongswan? I'm assuming some sort of plugin would have to be involved. Thanks. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
