[strongSwan] disable initial_contact support in 4.6.2

Joern Mewes joern.mewes at gmx.net
Fri Jun 29 15:52:21 CEST 2012


Hi all,

Today I was upgrading our systems from strongswan  4.5.2 to 4.6.2. The upgrade as such was running fine but unfortunately I am facing a problem and could not find a solution. Thus, I would appreciate if you could give me some hints how to solve the following issue:

It seems that between 4.5.2 and 4.6.2 “INITIAL CONTACT” support has been changed and I think that this is causing the problem in my setup. I am using a single strongswan client to simulate 150 different VPN peers establishing VPNs to a central security gateway. Thus,  I have 150 connection entries in my ipsec.conf; each one is using a different left= address to setup the VPNs.

Und 4.5.2 everything was running fine.  On 4.6.2 I am getting the following message in the log and I have just one active VPN. 
“Jun 29 14:47:45 tst-21 charon: 02[IKE] destroying duplicate IKE_SA for peer 'seg.test.lab', received INITIAL_CONTACT”. 

I read in https://lists.strongswan.org/pipermail/announce/2011-February/000066.html that inital_contact support can be turned off by using the “uniqueids” parameter but this parameter is already set to “no” without improving the situation.

I am wondering if there is something wrong in 4.6.2 or if there is another way to turn off the “initial contact” check by configuration. Is someone able to answer this?

Thanks for your support.

Joern


-- 
NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone!                                  
Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a




More information about the Users mailing list