duplicheck Plugin
Purpose
The duplicheck plugin for libcharon provides an advanced but very
specialized peer identity duplicate checking that works independently from the
unique connection feature.
The plugin is disabled by default and can be enabled with the
./configure option
--enable-duplicheck
Behavior
The behavior of the duplicheck plugin is as follows:
-
While establishing a new
IKE SAcheck if already one exists with the same peer identity -
If yes:
-
Initiate an IKE_SA delete exchange on the old
IKE SAto liveness check and simultaneously delete it -
If no response is received after several retransmits to the delete, destroy the old
IKE SA -
If a response is received:
-
Also delete the newly established
IKE SA -
Send a notification over a UNIX socket to listening applications (if any)
-
-
Configuration
The duplicheck plugin is configured using the following options in the
charon.plugins.duplicheck
section of strongswan.conf:
| Key | Default | Description [Default] |
|---|---|---|
enable |
|
Enable duplicheck functionality |
socket |
[→] |
Socket provided by the duplicheck plugin.
|
Notifications
If two IKE SAs exist with the same peer identity and the old IKE SA confirmed
the triggered delete message, a notification is sent to a listening application
over a UNIX or TCP socket. An example application of a listener is provided with
the duplicheck tool. It listens on the socket and receives the affected peer
identity. To integrate notification listening to your application, see
You’ll have to start a dedicated thread to read from the socket or integrated the file descriptor to your applications main loop.