Hi Tobias, That's great news. You are right, I can see those entries in sys logs. But there is still a strange issue. At 12:09:27 despite the initial disconnect request and acknowledgement, StrongSwan doesn't disconnect the user.
Oct 15 12:09:27 stag-1 charon: 05[CFG] reassigning offline lease to 'houman' Oct 15 12:09:27 stag-1 charon: 05[IKE] assigning virtual IP xxxx:54c4:xxxx:1::301 to peer 'houman' Oct 15 12:09:27 stag-1 charon: 05[IKE] CHILD_SA stag-1{26} established with SPIs c8a04ba5_i 041b28de_o and TS 0.0.0.0/0 ::/0 === 10.10.10.1/32 xxx:54c4:4c90:1::301/128 Oct 15 12:09:27 stag-1 charon: 05[CFG] sending RADIUS Accounting-Request to server 'server-a' Oct 15 12:09:27 stag-1 charon: 13[CFG] received RADIUS DAE Disconnect-Request for houman from 127.0.0.1 Oct 15 12:09:27 stag-1 charon: 13[CFG] no IKE_SA matches Disconnect-Request, sending Disconnect-NAK Oct 15 12:09:27 stag-1 charon: 05[CFG] received RADIUS Accounting-Response from server 'server-a' Oct 15 12:09:27 stag-1 charon: 05[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Oct 15 12:09:27 stag-1 charon: 05[NET] sending packet: from 172.31.X.X[4500] to 5.78.X.X[4500] (352 bytes) 10 seconds later (because of the Acct-Interim-Interval) a second disconnect request is sent. post-auth { update reply { Acct-Interim-Interval = 10 } } Oct 15 12:09:37 stag-1 charon: 16[CFG] sending RADIUS Accounting-Request to server 'server-a' Oct 15 12:09:37 stag-1 charon: 07[CFG] received RADIUS DAE Disconnect-Request for houman from 127.0.0.1 Oct 15 12:09:37 stag-1 charon: 07[CFG] closing 1 IKE_SA matching Disconnect-Request, sending Disconnect-ACK Oct 15 12:09:37 stag-1 charon: 07[IKE] deleting IKE_SA stag-1[35] between 172.31.xx.xx[stag-1.xxx.com]…5.78.xxx.xx[stag-1.xxx.com] Oct 15 12:09:37 stag-1 charon: 07[IKE] sending DELETE for IKE_SA stag-1[35] Oct 15 12:09:37 stag-1 charon: 07[ENC] generating INFORMATIONAL request 0 [ D ] Oct 15 12:09:37 stag-1 charon: 07[NET] sending packet: from 172.31.xx.xx[4500] to 5.78.xx.xx[4500] (80 bytes) Oct 15 12:09:37 stag-1 charon: 16[CFG] received RADIUS Accounting-Response from server 'server-a' Oct 15 12:09:37 stag-1 charon: 06[NET] received packet: from 5.78.xx.xx[4500] to 172.31.xx.xx[4500] (80 bytes) Oct 15 12:09:37 stag-1 charon: 06[ENC] parsed INFORMATIONAL response 0 [ ] Oct 15 12:09:37 stag-1 charon: 06[IKE] IKE_SA deleted Oct 15 12:09:37 stag-1 charon: 06[CFG] sending RADIUS Accounting-Request to server 'server-a' Oct 15 12:09:37 stag-1 charon: 11[CFG] received RADIUS DAE Disconnect-Request for houman from 127.0.0.1 Oct 15 12:09:37 stag-1 charon: 11[CFG] no IKE_SA matches Disconnect-Request, sending Disconnect-NAK Oct 15 12:09:37 stag-1 charon: 06[CFG] received RADIUS Accounting-Response from server 'server-a' Oct 15 12:09:37 stag-1 charon: 06[CFG] lease fdd2:54c4:4c90:1::301 by 'houman' went offline Oct 15 12:09:37 stag-1 charon: 06[CFG] lease 10.10.10.1 by 'houman' went offline Only this time it actually works and the user is disconnected. Why isn't it working the first time around? Many Thanks, Houman On Tue, 15 Oct 2019 at 15:34, Tobias Brunner <tob...@strongswan.org> wrote: > Hi Houman, > > > What attributes *should* be in the Disconnect-Request beside User-Name? > > None, that's fine. If you receive a NAK that means no IKE_SA was found > with a matching remote identity. You should see something like this in > the strongSwan log: > > > received RADIUS DAE Disconnect-Request for houman from 127.0.0.1 > > no IKE_SA matches houman, sending Disconnect-NAK > > Regards, > Tobias >