[strongSwan] "never" config for uniqueness for tunnels

Burak Çetin cetinbur at gmail.com
Tue Apr 21 19:55:56 CEST 2015


Firstly apologies if this is the wrong forum, and not sure if I should've
posted this under the developers forum.

I've a scenario where we use an updown script to do certain things when a
tunnel is established and then torn down. I've found that after certain
failed attempts (where an SA is established for us but doesn't quite work
for the peer) a peer tries to connect again, and we get this:

destroying duplicate IKE_SA for peer 'x.x.x.x', received INITIAL_CONTACT

in the logs. This means that the updown script never gets called for these
previously established tunnels with the down-* verb. Not sure if this is
the correct behaviour. But anyhow I'd rather the SA was left there to
expire and script called in the end to 'down' the tunnel.

Looking further I found the uniqueness configuration that relates to this.
It looks like the 'never' setting would be sufficient for my purpose to
make sure that the updown script is called during tunnel tear down. (Not
sure about this yet.) Our version of StrongSwan is based on a 4.x branch,
so doesn't have this relatively new setting.

I find that this setting was committed as part of this changeset:

Superficially judging, the changes seem fairly innocuous. I'm mainly
concerned about the change in "ike_auth.c", as it's not quite clear to me
why that was needed. Does anyone see a point of concern this change being
back-ported to the 4.x branch? Is there an easier solution to the problem I
describe above?

Many thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150421/b32b8540/attachment-0001.html>

More information about the Users mailing list