[strongSwan] IPSec / IKEv2, IP-(Re)assignment problem

Sven Anders anders at anduras.de
Thu May 23 10:45:48 CEST 2019

Am 20.05.19 um 14:59 schrieb Tobias Brunner:
> Hi Sven,
> You explicitly disabled handling of INITIAL_CONTACT notifies with
> uniqueids=never.  So existing IKE_SAs with the same client identity will
> not be terminated when a new IKE_SA is created, which also means the
> existing virtual IP is not released.  Since the same virtual IP can't be
> assigned to multiple clients, a new virtual IP is allocated instead.
> Also, reducing the DPD timeout on servers with mobile clients is not
> that good an idea as it prevents clients from roaming between networks
> (or being without connectivity for a while due to other reasons) and
> updating the exiting IKE_SA via MOBIKE afterwards.

Hello Tobias!

Thanks for the answer. We set "uniqueids" to "never" to allow simultaneous
connections with the same user account. For instance a simultaneous login
from the iPhone and the iPad.

If this "uniqueness" is only determined by the login username and not
further data (like a mac address or name of the connecting device), I see
that this will not work.

Or do you have any other ideas to make this work?

 Sven Anders

 Sven Anders <anders at anduras.de>                 () UTF-8 Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS intranet security AG
 Messestrasse 3 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
  - Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: anders.vcf
Type: text/x-vcard
Size: 339 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190523/13233a8c/attachment.vcf>

More information about the Users mailing list