[strongSwan] Query on INITIAL_CONTACT
MOHIT CHALLA (mochalla)
mochalla at cisco.com
Wed Jul 14 08:46:23 CEST 2021
I have a question regarding INITIAL_CONTACT in IKEv2.
I have found the following text in StrongSwan's documentation (https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf):
Default => no
Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced. The value never does never enforce such a policy, even if a peer included INITIAL_CONTACT notification messages, whereas no replaces existing connections for the same identity if a new one has the INITIAL_CONTACT notify. keep rejects new connection attempts if the same user already has an active connection, replace deletes any existing connection if a new one for the same user gets established.
To compare connections for uniqueness, the remote IKE identity is used. If EAP or XAuth authentication is involved, the EAP-Identity or XAuth username is used to enforce the uniqueness policy instead.
On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication round). Unless set to never the client will send a notify
This text seems to indicate that StrongSwan sends out INITIAL_CONTACT when it is acting as an initiator unless the above option is set to 'never'.
My question is if this has been the behaviour of StrongSwan's implementation since day-1? If a device is using an older version of StrongSwan's implementation, will the above documented behaviour hold true?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users