Hi, > This is a good case where the INITIAL_CONTACT notify could delete the > old SA, but we currently do not support it.
I've implemented INITIAL_CONTACT support for the upcoming 4.5.1. If the ipsec.conf uniqueids option is not set to 'no', the initiator sends this notify if it does not have an SA with the same peer. There are some requirements, though: The initiator must have the responder identity configured (using rightid), otherwise it can't compare the identity to existing SAs. Further, EAP is currently not supported, as the initiator ID we are comparing is never authenticated. If a responder receives an INITIAL_CONTACT, it deletes any SAs having the same identities immediately. This will release the address of any dangling tunnel and it can be reassigned during the same connection attempt. A snapshot is available at [1]. Regards Martin [1]http://download.strongswan.org/snapshots/strongswan-4.5.0-446-gfb1e7df.tar.bz2 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
