Add uniqueids=never to ignore INITIAL_CONTACT notifies

With uniqueids=no the daemon still deletes any existing IKE_SA with the
same peer if an INITIAL_CONTACT notify is received.  With this new option
it also ignores these notifies.

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 7c336c451bfa2083fedbeb074a570f5bb6845855..73db23511e247ce7b8df26da8d9d47dc68f140ac 100644 (file)
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -1035,19 +1035,26 @@ if at least one CRL URI is defined and to
 .B no
 if no URI is known.
 .TP
-.BR uniqueids " = " yes " | no | replace | keep"
+.BR uniqueids " = " yes " | no | never | replace | keep"
 whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
+with any new IKE_SA using an ID deemed to replace all old ones using that ID;
 acceptable values are
-.B yes
+.BR yes ,
 (the default)
+.B no
 and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
+.BR never .
+Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is
+almost invariably intended to replace an old one. The difference between
+.B no
+and
+.B never
+is that the daemon will replace old IKE_SAs when receving an INITIAL_CONTACT
+notify when the option is
+.B no
+but will ignore these notifies if
+.B never
+is configured.
 The daemon also accepts the value
 .B replace
 which is identical to

diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index f65b91258fe2dfc0275aab4ec89e3925d0e67c56..418e45532fec588031a66963a000d811fb24ecd4 100644 (file)
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -81,11 +81,13 @@ extern enum_name_t *cert_policy_names;
  * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
  */
 enum unique_policy_t {
-       /** do not check for client uniqueness */
+       /** never check for client uniqueness */
+       UNIQUE_NEVER,
+       /** only check for client uniqueness when receiving an INITIAL_CONTACT */
        UNIQUE_NO,
-       /** replace unique IKE_SAs if new ones get established */
+       /** replace existing IKE_SAs when new ones get established by a client */
        UNIQUE_REPLACE,
-       /** keep existing IKE_SAs, close the new ones on connection attept */
+       /** keep existing IKE_SAs, close the new ones on connection attempt */
        UNIQUE_KEEP,
 };
 

diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index e3c78f75032ab0f23d5c9531cca0753bb76e84af..fd11826198a627b49138c947e5b2244166efbe23 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -690,6 +690,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
                case 3: /* keep */
                        unique = UNIQUE_KEEP;
                        break;
+               case 4: /* never */
+                       unique = UNIQUE_NEVER;
+                       break;
                default: /* no */
                        unique = UNIQUE_NO;
                        break;

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index b707b6a0b93735e739b1dcecfae9465fd381b7dd..a396235c2dd2ff85edfe0fd5d3a468c38a8784bc 100644 (file)
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1711,7 +1711,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 
        peer_cfg = ike_sa->get_peer_cfg(ike_sa);
        policy = peer_cfg->get_unique_policy(peer_cfg);
-       if (policy == UNIQUE_NO && !force_replace)
+       if (policy == UNIQUE_NEVER || (policy == UNIQUE_NO && !force_replace))
        {
                return FALSE;
        }

diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 36f8acfd18f256749e3b279e6f75bd9009f15dcf..7d462f1a7e203dc09a543dffc6caa7d90469114f 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -435,7 +435,8 @@ METHOD(task_t, build_i, status_t,
                message->add_payload(message, (payload_t*)id_payload);
 
                if (idr && message->get_message_id(message) == 1 &&
-                       this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO)
+                       this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
+                       this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
                {
                        host_t *host;
 

diff --git a/src/starter/args.c b/src/starter/args.c
index eb25b2abbed19aaeff4050bdcd8fd4bff596dc65..2416960bd2b3e583742440d768139ca73f249718 100644 (file)
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -61,6 +61,7 @@ static const char *LST_unique[] = {
        "yes",
        "replace",
        "keep",
+       "never",
         NULL
 };