Hello Joern, > that inital_contact support can be turned off by using the “uniqueids” > parameter but this parameter is already set to “no” without improving > the situation.
If a responder receives an INITIAL_CONTACT, it will delete any existing connections using the same IKE identities. This happens regardless of any uniqueids setting on the responder. As an initiator, however, the uniqueids setting can change the behavior of sending this INITIAL_CONTACT. If uniqueids=no, it is not sent, but it is when using "keep" or "replace". Setting uniqeids=no on the client should disable the INITIAL_CONTACT and fix your issue. RFC 5996 says: > The INITIAL_CONTACT notification asserts that this IKE SA is the only > IKE SA currently active between the authenticated identities. It MAY > be sent when an IKE SA is established after a crash, and the > recipient MAY use this information to delete any other IKE SAs it has > to the same authenticated identity without waiting for a timeout. > This notification MUST NOT be sent by an entity that may be > replicated (e.g., a roaming user's credentials where the user is > allowed to connect to the corporate firewall from two remote systems > at the same time). Kind Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
