[Swan-dev] uniqueids and ikev2

Paul Wouters paul at nohats.ca
Fri Dec 11 17:51:19 UTC 2015

Note RFC-7296 states:

    Note that IKEv2 deliberately allows parallel SAs with the same
    Traffic Selectors between common endpoints.  One of the purposes of
    this is to support traffic quality of service (QoS) differences among
    the SAs (see [DIFFSERVFIELD], [DIFFSERVARCH], and Section 4.1 of
    [DIFFTUNNEL]).  Hence unlike IKEv1, the combination of the endpoints
    and the Traffic Selectors may not uniquely identify an SA between
    those endpoints, so the IKEv1 rekeying heuristic of deleting SAs on
    the basis of duplicate Traffic Selectors SHOULD NOT be used.

My reading is that uniqueids= therefor should be ignored for IKEv2, and
perhaps the option should be renamed to ikev1-uniqueids=

For the roadwarrior reconnecting case, I guess INITIAL_CONTACT should be
used, or a simple liveness probe could be send over the older IKE SA to
see if there is still anyone there.


More information about the Swan-dev mailing list