[strongSwan] virtual IP assignement fails if previous tunnel not properly shutdown

Martin Willi martin at strongswan.org
Wed Jan 5 18:51:29 CET 2011


> This is a good case where the INITIAL_CONTACT notify could delete the
> old SA, but we currently do not support it.

I've implemented INITIAL_CONTACT support for the upcoming 4.5.1. If the
ipsec.conf uniqueids option is not set to 'no', the initiator sends this
notify if it does not have an SA with the same peer.

There are some requirements, though: The initiator must have the
responder identity configured (using rightid), otherwise it can't
compare the identity to existing SAs. Further, EAP is currently not
supported, as the initiator ID we are comparing is never authenticated.

If a responder receives an INITIAL_CONTACT, it deletes any SAs having
the same identities immediately. This will release the address of any
dangling tunnel and it can be reassigned during the same connection

A snapshot is available at [1].



More information about the Users mailing list