Project

General

Profile

duplicheck plugin » History » Version 1

Version 1/6 - Next » - Current version
Martin Willi, 28.02.2011 16:22


duplicheck plugin

The duplicheck plugin provides an advanced but very specialized peer identity duplicate checking. It works independent from the ipsec.conf uniqueids feature.

Behavior

The behavior of the duplicheck plugin is as follows:
  • While establishing a new IKE_SA, check if already one exists with the same peer identity
  • If yes:
    • Initiate an IKE_SA delete exchange on the old IKE_SA to liveness check and simultaneously delete it
    • If no response is received after several retransmits to the delete, destroy the old IKE_SA
    • If a response is received:
      • Also delete the newly established IKE_SA
      • Send a notification over a UNIX socket to listening applications (if any)

Notifications

If two IKE_SAs exists with the same peer identity, and the old IKE_SA confirmed the triggered delete message, a notification is sent to a listening application over a UNIX socket. An example application of a listener is provided with the duplicheck tool. It listens on the socket and receives the affected peer identity.

To integrate notification listening to your application, see source:src/libcharon/plugins/duplicheck/duplicheck.c. You'll have to start a dedicated thread to read from the socket or integrated the file descriptor to your applications main loop.