[strongSwan] multiple use of same client certification

Cindy Moore ctmoore at cs.ucsd.edu
Sat Sep 20 04:42:37 CEST 2014

OK, so I discovered (because i was being lazy) that if you use two
different device to connect that both have the same client
certificate, the same virtual ip is assigned to both of them, both of
which seem to work just fine.... other than that they've both got the
same ip address o.O

Is that one of the situations this can address (found on
) :

"uniqueids = yes | no | never | replace | keep

"whether a particular participant ID should be kept unique, with any
new IKE_SA using an ID
deemed to replace all old ones using that ID. Participant IDs normally
are unique, so a new
IKE_SA using the same ID is almost invariably intended to replace an old one.
The difference between no and never is that the daemon will replace
old IKE_SAs when receiving an INITIAL_CONTACT notify if the option is
no but will ignore these notifies if never is configured.
The daemon also accepts the value replace which is identical to yes
and the value keep to reject
new IKE_SA setups and keep the duplicate established earlier."

EG, if I set uniqueids to keep, then the next device trying to use the
same certificate will be refused an ip address until such a time as
the first one disconnects? Or if I set it to replace, the first device
loses its virtual ip which is then passed to the new device  (device
may be any type of client from laptop to phone) ?  Would there be some
way to simply give the second device the next virtual ip in the pool?

I'm pretty sure at least some of the roadwarrior crew I've got would
install their certs on multiple devices, so this situation is likely
to pop up.  It's the first thing I did, after all, while testing this


More information about the Users mailing list