duplicheck plugin » History » Version 1
Martin Willi, 28.02.2011 16:22
h1. duplicheck plugin
The _duplicheck_ plugin provides an advanced but very specialized peer identity duplicate checking. It works independent from the [[IpsecConf|ipsec.conf]] uniqueids feature.
The behavior of the _duplicheck_ plugin is as follows:
* While establishing a new IKE_SA, check if already one exists with the same peer identity
* If yes:
** Initiate an IKE_SA delete exchange on the old IKE_SA to liveness check and simultaneously delete it
** If no response is received after several retransmits to the delete, destroy the old IKE_SA
** If a response is received:
*** Also delete the newly established IKE_SA
*** Send a notification over a UNIX socket to listening applications (if any)
If two IKE_SAs exists with the same peer identity, and the old IKE_SA confirmed the triggered delete message, a notification is sent to a listening application over a UNIX socket. An example application of a listener is provided with the _duplicheck_ tool. It listens on the socket and receives the affected peer identity.
To integrate notification listening to your application, see source:src/libcharon/plugins/duplicheck/duplicheck.c. You'll have to start a dedicated thread to read from the socket or integrated the file descriptor to your applications main loop.