[strongSwan] Query on INITIAL_CONTACT

MOHIT CHALLA (mochalla) mochalla at cisco.com
Wed Jul 14 08:46:23 CEST 2021


I have a question regarding INITIAL_CONTACT in IKEv2.

I have found the following text in StrongSwan's documentation (https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf):

Default => no
Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced. The value never does never enforce such a policy, even if a peer included INITIAL_CONTACT notification messages, whereas no replaces existing connections for the same identity if a new one has the INITIAL_CONTACT notify. keep rejects new connection attempts if the same user already has an active connection, replace deletes any existing connection if a new one for the same user gets established.
To compare connections for uniqueness, the remote IKE identity is used. If EAP or XAuth authentication is involved, the EAP-Identity or XAuth username is used to enforce the uniqueness policy instead.
On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication round). Unless set to never the client will send a notify

This text seems to indicate that StrongSwan sends out INITIAL_CONTACT when it is acting as an initiator unless the above option is set to 'never'.

My question is if this has been the behaviour of StrongSwan's implementation since day-1? If a device is using an older version of StrongSwan's implementation, will the above documented behaviour hold true?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210714/7f9c8e44/attachment.html>

More information about the Users mailing list