On 22.10.20 16:00, Grischa Stegemann wrote: > Hello All > > We are connecting hardware IP phones with their built-in IPsec client > to our strongSwan server. > The phones can do IKEv2 with PSK plus EAP authentication. > > Everything is working fine until two "road warrior phones" happen do > have the same RFC1918 IPv4 address within their corresponding local > (home user) networks behind their individual NAT gateways. > > E.g. during IKE_AUTH we get > > looking for peer configs matching > xxx.xxx.xxx.xxx[%any]...yyy.yyy.yyy.yyy[192.168.1.10] > > for the first client. > Then the connection and the SA are built with '192.168.1.10' as the > client's identifier. > > Now a second phone comes along with > looking for peer configs matching > xxx.xxx.xxx.xxx[%any]...zzz.zzz.zzz.zzz[192.168.1.10] > > After successful PSK and EAP authentication the new client gets a > different virtual ip assigned, which is good, but then the duplicate > SA kicks in: > > detected duplicate IKE_SA for '192.168.1.10', triggering delete for > old IKE_SA > > > I have tried uniqueids=no and uniqueids=never but this does not solve > the problem. And I have to admit that I did not fully understand the > use of this parameter. :-( > > Our ipsec.conf is rather simple: > > conn IKEv2-PSK-EAP > left=%any > leftid=@myhostname.mydomain > leftsubnet=0.0.0.0/0 > leftauth=psk > rightsourceip=10.0.200.0/24 > right=%any > rightid=%any > rightauth=eap-mschapv2 > rightauth2=psk
Can you configure the phone to use anything else than its IP address for identification. i.e. hostname? Logs? Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
signature.asc
Description: OpenPGP digital signature