[strongSwan] uniqueids

Peter Sagerson psagers at ignorare.net
Wed Mar 28 04:37:37 CEST 2012

Here's another question, and I hope it will be easier, more interesting, and less lame than my last.

I see that both pluto and charon support the uniqueids option, which ensures that each peer ID can only connect from one IP at a time. I have a situation where some peers are generating multiple connections from a single IP and the old ones are left hanging, generally until they eventually get cleaned up by DPD. So is there some deep technical reason for the different-ip constraint on peer uniquing, or is that simply the policy that makes the most sense for most deployments? Put another way, what terrible fate would befall me if I were to remove the sameaddr check in a private build and enforce unique IDs regardless?


More information about the Users mailing list