<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; }--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>Hi.</div>
<div><br>
</div>
<div>I am having trouble forcing a rekey of an IPsec/child SA. I've</div>
<div>tried two methods so far. First, I tried constructing a Netlink</div>
<div>message, in the hope that the kernel would reflect it back to</div>
<div>Strongswan. That didn't work, though it could well be that</div>
<div>there's something wrong with my message. I haven't seen any</div>
<div>diagnostic output from the kernel to indicate what I might have</div>
<div>done wrong. And there's no indication of my XFRM_MSG_EXPIRE</div>
<div>in the charon logfile.<br>
</div>
<div><br>
</div>
<div>So I thought I'd try the various CLIs. The problem now is that I</div>
<div>cannot create a new child SA without first killing the existing</div>
<div>one. That's suboptimal because of course it will create traffic</div>
<div>drops.</div>
<div><br>
</div>
<div>For example:</div>
<div><br>
</div>
<div>v@vm-s2s11242-2:~$ sudo /usr/sbin/swanctl --initiate --child peer-10.10.2.3-tunnel-1 </div>
<div>[ENC] generating QUICK_MODE request 1222671508 [ HASH SA No KE ID ID ]</div>
<div>[NET] sending packet: from 10.10.2.2[500] to 10.10.2.3[500] (380 bytes)</div>
<div>[NET] received packet: from 10.10.2.3[500] to 10.10.2.2[500] (380 bytes)</div>
<div>[ENC] parsed QUICK_MODE response 1222671508 [ HASH SA No KE ID ID ]</div>
<div>[CFG] unable to install policy 10.10.1.0/24 === 10.10.3.0/24 out (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists</div>
<div>[CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 in (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists</div>
<div>[CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 fwd (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists</div>
<div>[CFG] unable to install policy 10.10.1.0/24 === 10.10.3.0/24 out (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists</div>
<div>[CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 in (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists</div>
<div>[CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 fwd (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists</div>
<div>[IKE] unable to install IPsec policies (SPD) in kernel</div>
<div>initiate failed: establishing CHILD_SA 'peer-10.10.2.3-tunnel-1' failed</div>
<div><br>
</div>
<div>So, what should I do next?</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>c<br>
</div>
<p><br>
</p>
</body>
</html>