Project

General

Profile

duplicheck plugin » History » Version 3

« Previous - Version 3/6 (diff) - Next » - Current version
Martin Willi, 17.03.2011 17:35


duplicheck plugin

The duplicheck plugin provides an advanced but very specialized peer identity duplicate checking. It works independent from the ipsec.conf uniqueids feature.

To enable the plugin, add

--enable-duplicheck
to the ./configure options.

Behavior

The behavior of the duplicheck plugin is as follows:
  • While establishing a new IKE_SA, check if already one exists with the same peer identity
  • If yes:
    • Initiate an IKE_SA delete exchange on the old IKE_SA to liveness check and simultaneously delete it
    • If no response is received after several retransmits to the delete, destroy the old IKE_SA
    • If a response is received:
      • Also delete the newly established IKE_SA
      • Send a notification over a UNIX socket to listening applications (if any)

Configuration

The plugin is configured using the following strongswan.conf options:

Key Default Description
charon.plugins.duplicheck.enabled Yes Enable duplicheck functionality

Notifications

If two IKE_SAs exists with the same peer identity, and the old IKE_SA confirmed the triggered delete message, a notification is sent to a listening application over a UNIX socket. An example application of a listener is provided with the duplicheck tool. It listens on the socket and receives the affected peer identity.

To integrate notification listening to your application, see source:src/libcharon/plugins/duplicheck/duplicheck.c. You'll have to start a dedicated thread to read from the socket or integrated the file descriptor to your applications main loop.