[strongSwan] disable initial_contact support in 4.6.2

Martin Willi martin at strongswan.org
Fri Jun 29 16:10:12 CEST 2012

Hello Joern,

> that inital_contact support can be turned off by using the “uniqueids”
> parameter but this parameter is already set to “no” without improving
> the situation.

If a responder receives an INITIAL_CONTACT, it will delete any existing
connections using the same IKE identities. This happens regardless of
any uniqueids setting on the responder.

As an initiator, however, the uniqueids setting can change the behavior
of sending this INITIAL_CONTACT. If uniqueids=no, it is not sent, but it
is when using "keep" or "replace". Setting uniqeids=no on the client
should disable the INITIAL_CONTACT and fix your issue.

RFC 5996 says:

> The INITIAL_CONTACT notification asserts that this IKE SA is the only
> IKE SA currently active between the authenticated identities.  It MAY
> be sent when an IKE SA is established after a crash, and the
> recipient MAY use this information to delete any other IKE SAs it has
> to the same authenticated identity without waiting for a timeout.
> This notification MUST NOT be sent by an entity that may be
> replicated (e.g., a roaming user's credentials where the user is
> allowed to connect to the corporate firewall from two remote systems
> at the same time).

Kind Regards

More information about the Users mailing list