[strongSwan] IPSec / IKEv2, IP-(Re)assignment problem

Tobias Brunner tobias at strongswan.org
Mon May 20 14:59:26 CEST 2019

Hi Sven,

You explicitly disabled handling of INITIAL_CONTACT notifies with
uniqueids=never.  So existing IKE_SAs with the same client identity will
not be terminated when a new IKE_SA is created, which also means the
existing virtual IP is not released.  Since the same virtual IP can't be
assigned to multiple clients, a new virtual IP is allocated instead.

Also, reducing the DPD timeout on servers with mobile clients is not
that good an idea as it prevents clients from roaming between networks
(or being without connectivity for a while due to other reasons) and
updating the exiting IKE_SA via MOBIKE afterwards.


More information about the Users mailing list