Hi Peter, > I see that both pluto and charon support the uniqueids option, which > ensures that each peer ID can only connect from one IP at a time. I > have a situation where some peers are generating multiple connections > from a single IP and the old ones are left hanging, generally until > they eventually get cleaned up by DPD. So is there some deep > technical reason for the different-ip constraint on peer uniquing, or > is that simply the policy that makes the most sense for most > deployments?
Have a look at issue #187 [1] which touches on this topic in regards to pluto. In comparison to pluto charon only uses the IDs to decide if an SA is a duplicate. > Put another way, what terrible fate would befall me if I were to > remove the sameaddr check in a private build and enforce unique IDs > regardless? You could probably remove the address comparison in pluto but I'm not entirely sure what the side-effects of this are (it will most likely break if you have more than one Quick Mode SA queued, as that was apparently the reason for the removal of the port comparison in 4.1.7). Regards, Tobias [1] http://wiki.strongswan.org/issues/187 _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users