OK, so I discovered (because i was being lazy) that if you use two different device to connect that both have the same client certificate, the same virtual ip is assigned to both of them, both of which seem to work just fine.... other than that they've both got the same ip address o.O
Is that one of the situations this can address (found on https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection ) : "uniqueids = yes | no | never | replace | keep "whether a particular participant ID should be kept unique, with any new IKE_SA using an ID deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new IKE_SA using the same ID is almost invariably intended to replace an old one. The difference between no and never is that the daemon will replace old IKE_SAs when receiving an INITIAL_CONTACT notify if the option is no but will ignore these notifies if never is configured. The daemon also accepts the value replace which is identical to yes and the value keep to reject new IKE_SA setups and keep the duplicate established earlier." EG, if I set uniqueids to keep, then the next device trying to use the same certificate will be refused an ip address until such a time as the first one disconnects? Or if I set it to replace, the first device loses its virtual ip which is then passed to the new device (device may be any type of client from laptop to phone) ? Would there be some way to simply give the second device the next virtual ip in the pool? I'm pretty sure at least some of the roadwarrior crew I've got would install their certs on multiple devices, so this situation is likely to pop up. It's the first thing I did, after all, while testing this :-P thanks, --Cindy _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
