Hi Karl,
--On Tuesday, February 18, 2014 06:24:46 PM +0100 Karl Hiramoto
<k...@hiramoto.org> wrote:
I have multiple road warriors with their own certificates.
How can I temporarily disable the user, without revoking the
certificate, can I do that?
I assume you don't have an unique entry for every user in your
ipsec.conf, so that you simply could disable this config?
Do I revoke it, and to re-enable by removing it from the CRL? Is
there an easier way?
Reenabling a revoked certificate is not a good idea.
You could add a specific config for his connection for example:
conn tempdis
authby=rsasig
right=%any
rightid="@certificatename"
rightauth2=xauth
auto=add
I think this specific config should win over a catchall.
rightauth2=xauth would require a 2nd auth before establishing the
tunnel.
So if you put
tempdis : XAUTH "noentryhere"
in your ipsec.secrets he couldn't log in without knowing the secret and
the connection would fail.
I'm not a 100% shure of this solution could anyone comment if it works
this way?
Dirk
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users