[strongSwan] Strongswan 4.5.1 with sqlite database: update database and DPD

Andreas Steffen andreas.steffen at strongswan.org
Fri Mar 4 10:25:59 CET 2011

Hello Fabrice,

On 04.03.2011 08:43, CETIAD - Fabrice Barconnière wrote:
>>> In the past usually two IKE_SAs and corresponding CHILD_SAs were
>>> established and maintained over all subsequent rekeyings. This is
>>> not harmful per se but creates twice the number of tunnels. I have
>>> to check if the the INITIAL_CONTACT notification introduced with
>>> strongSwan 4.5.1 has changed this behaviour.
>> This is indeed the case. With 4.5.1 you get:
>> Mar  3 22:13:18 moon charon:
>>   03[IKE] deleting duplicate IKE_SA for peer 'sun.strongswan.org' due to
>> uniqueness policy
>> 03[IKE] deleting IKE_SA net-net[1] between
> So it's better to keep 0 on one side and 2 on the other and execute when
> restart ipsec or reboot "ipsec up" for each peer_configs on the gateway
> where start_action=0.

No, what I wanted say is that you can set start_action=2 on both sides
because duplicate tunnels now get deleted with strongSwan 4.5.1.



Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list