duplicheck plugin » History » Version 4

« Previous - Version 4/6 (diff) - Next » - Current version
Tobias Brunner, 26.05.2011 12:35
The option is calle 'enable' not 'enabled'

duplicheck plugin

The duplicheck plugin provides an advanced but very specialized peer identity duplicate checking. It works independent from the ipsec.conf uniqueids feature.

To enable the plugin, add

to the ./configure options.


The behavior of the duplicheck plugin is as follows:
  • While establishing a new IKE_SA, check if already one exists with the same peer identity
  • If yes:
    • Initiate an IKE_SA delete exchange on the old IKE_SA to liveness check and simultaneously delete it
    • If no response is received after several retransmits to the delete, destroy the old IKE_SA
    • If a response is received:
      • Also delete the newly established IKE_SA
      • Send a notification over a UNIX socket to listening applications (if any)


The plugin is configured using the following strongswan.conf options:

Key Default Description
charon.plugins.duplicheck.enable Yes Enable duplicheck functionality


If two IKE_SAs exists with the same peer identity, and the old IKE_SA confirmed the triggered delete message, a notification is sent to a listening application over a UNIX socket. An example application of a listener is provided with the duplicheck tool. It listens on the socket and receives the affected peer identity.

To integrate notification listening to your application, see source:src/libcharon/plugins/duplicheck/duplicheck.c. You'll have to start a dedicated thread to read from the socket or integrated the file descriptor to your applications main loop.