From f4cc7ea11b742dbd97b380b4aee032b38a6c00cf Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 10 Sep 2012 17:24:21 +0200
Subject: Add uniqueids=never to ignore INITIAL_CONTACT notifies

With uniqueids=no the daemon still deletes any existing IKE_SA with the
same peer if an INITIAL_CONTACT notify is received.  With this new option
it also ignores these notifies.
---
 man/ipsec.conf.5.in | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

(limited to 'man')

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 7c336c451..73db23511 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -1035,19 +1035,26 @@ if at least one CRL URI is defined and to
 .B no
 if no URI is known.
 .TP
-.BR uniqueids " = " yes " | no | replace | keep"
+.BR uniqueids " = " yes " | no | never | replace | keep"
 whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
+with any new IKE_SA using an ID deemed to replace all old ones using that ID;
 acceptable values are
-.B yes
+.BR yes ,
 (the default)
+.B no
 and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
+.BR never .
+Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is
+almost invariably intended to replace an old one. The difference between
+.B no
+and
+.B never
+is that the daemon will replace old IKE_SAs when receving an INITIAL_CONTACT
+notify when the option is
+.B no
+but will ignore these notifies if
+.B never
+is configured.
 The daemon also accepts the value
 .B replace
 which is identical to
-- 
cgit v1.2.3