Note RFC-7296 states:
Note that IKEv2 deliberately allows parallel SAs with the same Traffic Selectors between common endpoints. One of the purposes of this is to support traffic quality of service (QoS) differences among the SAs (see [DIFFSERVFIELD], [DIFFSERVARCH], and Section 4.1 of [DIFFTUNNEL]). Hence unlike IKEv1, the combination of the endpoints and the Traffic Selectors may not uniquely identify an SA between those endpoints, so the IKEv1 rekeying heuristic of deleting SAs on the basis of duplicate Traffic Selectors SHOULD NOT be used. My reading is that uniqueids= therefor should be ignored for IKEv2, and perhaps the option should be renamed to ikev1-uniqueids= For the roadwarrior reconnecting case, I guess INITIAL_CONTACT should be used, or a simple liveness probe could be send over the older IKE SA to see if there is still anyone there. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
