Hello, recently I encountered an issue in my Strongswan setup where despite using 'uniqueids=yes' one of my tunnels had 2 IKE_SAs installed.
This led to the situation that one peer was using 1 IKE_SA and the other peer the other IKE_SA breaking all communication. >From what I understand this should be prevented (and I see evidence of this in my logs as well) when the 'uniqueids' option is set to yes however it seems that this is not always the case (specifically when a host loses all connectivity and then regains it again). Because not all duplicate IKE_SAs are caught by the current check I would like to suggest adding a second check (when 'uniqueids=yes') that: - is delayed by 5 or 10 seconds (after an IKE_SA is established) - checks if there are multiple IKE_SAs ---> deletes an IKE_SA based on the rules for the value of uniqueids OR ---> if multiple IKE_SAs are the same age deletes the SA w/ the numerically smaller combined SPIs (always ordered 'smaller SPI' . 'bigger SPI') This would allow 2 hosts to both have the option auto=start and not worry about creating redundant IKE_SAs. This is a must for high availability setups. Best Regards, James _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
