Feature #1380
Updated by Tobias Brunner over 9 years ago
Initial contact notifications don't clear old connections sharing the same identity. No logs of duplicate checking are seen.
<pre>
config setup
uniqueids = no
conn ikev2server
left=%any
right=%any
keyexchange=ikev2
rekey=no
dpddelay=90s
dpdtimeout=150s
dpdaction=clear
closeaction=clear
leftsubnet=0.0.0.0/0
rightfirewall=yes
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
leftsendcert=always
rightsendcert=never
conn ikev2psk
auto=add
also=ikev2server
leftid=@vpn.somehost.co.za
leftauth=psk
rightauth=psk
rightsourceip=10.152.0.0/16
conn ikev2eap
auto=add
also=ikev2server
leftcert=host.crt
leftid=@vpn.somehost.co.za
rightauth=eap-md5
eap_identity=%any # this doesn't make a difference
rightsourceip=10.152.0.0/16
</pre>
Two android devices with the strongswan app connecting to this server doesn't kick each other off. If uniqueids=yes is set, then obviously it works, but not due to INIT_CONTACT.
But a strange scenario is when my android phone connects with it's built-in IKEv2 PSK connection (which also sends INIT_CONTACT) it doesn't kick off the strongswan connection, even though the same ID is used and even though uniqueids=yes.
Two connections from the phone's built-in PSK connection kick each other off with uniqueids=yes or no. Logs show that INIT_CONTACT causes the kickoff in both cases.
<pre>
config setup
uniqueids = no
conn ikev2server
left=%any
right=%any
keyexchange=ikev2
rekey=no
dpddelay=90s
dpdtimeout=150s
dpdaction=clear
closeaction=clear
leftsubnet=0.0.0.0/0
rightfirewall=yes
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
leftsendcert=always
rightsendcert=never
conn ikev2psk
auto=add
also=ikev2server
leftid=@vpn.somehost.co.za
leftauth=psk
rightauth=psk
rightsourceip=10.152.0.0/16
conn ikev2eap
auto=add
also=ikev2server
leftcert=host.crt
leftid=@vpn.somehost.co.za
rightauth=eap-md5
eap_identity=%any # this doesn't make a difference
rightsourceip=10.152.0.0/16
</pre>
Two android devices with the strongswan app connecting to this server doesn't kick each other off. If uniqueids=yes is set, then obviously it works, but not due to INIT_CONTACT.
But a strange scenario is when my android phone connects with it's built-in IKEv2 PSK connection (which also sends INIT_CONTACT) it doesn't kick off the strongswan connection, even though the same ID is used and even though uniqueids=yes.
Two connections from the phone's built-in PSK connection kick each other off with uniqueids=yes or no. Logs show that INIT_CONTACT causes the kickoff in both cases.