[Swan-dev] uniqueids and ikev2
Paul Wouters
paul at nohats.ca
Fri Dec 11 17:51:19 UTC 2015
Note RFC-7296 states:
Note that IKEv2 deliberately allows parallel SAs with the same
Traffic Selectors between common endpoints. One of the purposes of
this is to support traffic quality of service (QoS) differences among
the SAs (see [DIFFSERVFIELD], [DIFFSERVARCH], and Section 4.1 of
[DIFFTUNNEL]). Hence unlike IKEv1, the combination of the endpoints
and the Traffic Selectors may not uniquely identify an SA between
those endpoints, so the IKEv1 rekeying heuristic of deleting SAs on
the basis of duplicate Traffic Selectors SHOULD NOT be used.
My reading is that uniqueids= therefor should be ignored for IKEv2, and
perhaps the option should be renamed to ikev1-uniqueids=
For the roadwarrior reconnecting case, I guess INITIAL_CONTACT should be
used, or a simple liveness probe could be send over the older IKE SA to
see if there is still anyone there.
Paul
More information about the Swan-dev
mailing list