[strongSwan] uniqueids

Tobias Brunner tobias at strongswan.org
Wed Mar 28 11:05:13 CEST 2012

Hi Peter,

> I see that both pluto and charon support the uniqueids option, which
> ensures that each peer ID can only connect from one IP at a time. I
> have a situation where some peers are generating multiple connections
> from a single IP and the old ones are left hanging, generally until
> they eventually get cleaned up by DPD. So is there some deep
> technical reason for the different-ip constraint on peer uniquing, or
> is that simply the policy that makes the most sense for most
> deployments?

Have a look at issue #187 [1] which touches on this topic in regards to
pluto.  In comparison to pluto charon only uses the IDs to decide if an
SA is a duplicate.

> Put another way, what terrible fate would befall me if I were to
> remove the sameaddr check in a private build and enforce unique IDs
> regardless?

You could probably remove the address comparison in pluto but I'm not
entirely sure what the side-effects of this are (it will most likely
break if you have more than one Quick Mode SA queued, as that was
apparently the reason for the removal of the port comparison in 4.1.7).


[1] http://wiki.strongswan.org/issues/187

More information about the Users mailing list