duplicheck plugin » History » Version 5

Tobias Brunner, 23.07.2013 12:38

1 1 Martin Willi
h1. duplicheck plugin
2 1 Martin Willi
3 1 Martin Willi
The _duplicheck_ plugin provides an advanced but very specialized peer identity duplicate checking. It works independent from the [[IpsecConf|ipsec.conf]] uniqueids feature.
4 1 Martin Willi
5 2 Martin Willi
To enable the plugin, add
6 2 Martin Willi
<pre>--enable-duplicheck</pre> to the ./configure options.
7 2 Martin Willi
8 1 Martin Willi
h2. Behavior
9 1 Martin Willi
10 1 Martin Willi
The behavior of the _duplicheck_ plugin is as follows:
11 1 Martin Willi
* While establishing a new IKE_SA, check if already one exists with the same peer identity
12 1 Martin Willi
* If yes:
13 1 Martin Willi
** Initiate an IKE_SA delete exchange on the old IKE_SA to liveness check and simultaneously delete it
14 1 Martin Willi
** If no response is received after several retransmits to the delete, destroy the old IKE_SA
15 1 Martin Willi
** If a response is received:
16 1 Martin Willi
*** Also delete the newly established IKE_SA
17 1 Martin Willi
*** Send a notification over a UNIX socket to listening applications (if any)
18 1 Martin Willi
19 3 Martin Willi
h2. Configuration
20 3 Martin Willi
21 3 Martin Willi
The plugin is configured using the following [[strongswanConf|strongswan.conf]] options:
22 3 Martin Willi
23 3 Martin Willi
24 4 Tobias Brunner
|charon.plugins.duplicheck.enable|Yes|Enable duplicheck functionality|
25 5 Tobias Brunner
|charon.plugins.duplicheck.socket|file://${piddir}/charon.dck|Socket provided by the duplicheck plugin|
26 3 Martin Willi
27 1 Martin Willi
h2. Notifications
28 1 Martin Willi
29 5 Tobias Brunner
If two IKE_SAs exists with the same peer identity, and the old IKE_SA confirmed the triggered delete message, a notification is sent to a listening application over a UNIX or TCP socket (TCP is available since [[5.1.0]]). An example application of a listener is provided with the _duplicheck_ tool. It listens on the socket and receives the affected peer identity.
30 1 Martin Willi
31 1 Martin Willi
To integrate notification listening to your application, see source:src/libcharon/plugins/duplicheck/duplicheck.c. You'll have to start a dedicated thread to read from the socket or integrated the file descriptor to your applications main loop.