Revert "Send INITIAL_CONTACT even if we have a unique policy"

It makes sense to omit INITIAL_CONTACT if don't have a unique policy,
as a client might want to connect from different devices to the same
account.

This reverts commit 719c33b41a1f9fe9b2585df3e7aa804a760c361c.

diff --git a/NEWS b/NEWS
index e8c050a..fbae771 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -42,7 +42,8 @@ strongswan-4.5.1
   xcbc algorithms.
 
 - The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and
-  responder.
+  responder. The notify is sent when initiating configurations with a unique
+  policy, set in ipsec.conf via the global 'uniqueids' option.
 
 - The conftest conformance testing framework enables the IKEv2 stack to perform
   many tests using a distinct tool and configuration frontend. Various hooks

diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index e48916e..178989a 100644 (file)
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -429,7 +429,8 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
                get_reserved_id_bytes(this, id_payload);
                message->add_payload(message, (payload_t*)id_payload);
 
-               if (idr && message->get_message_id(message))
+               if (idr && message->get_message_id(message) == 1 &&
+                       this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO)
                {
                        host_t *host;