[strongSwan-dev] [PATCH 0/2] Rekeying collisions vs. delete action
Martin Willi
martin at strongswan.org
Wed Jun 2 11:59:13 CEST 2010
Hi Thomas,
> If the peer with the SA configured to be restarted
> wins the rekey collision it honors the restart action once the other
> peers sends a delete notification, and reinitiates the (actually
> duplicate) SA. This results in a growing number of superseded child sas
> (which I cleverly configured to time out in an infinite time, i.e.
> never).
I've seen on our server that there sometimes pops up an additional
CHILD_SA after it was running for a longer time. Now I finally know what
was happening. I seldom use dpd/close actions in my tests, so I couldn't
reproduce it... Many thanks for pointing this out.
> The attached patch introduces a new data member to the child sa,
I slightly modified the patch to wrap the complete get_close_action()
into the CHILD_SA. This allows us to override the close action whenever
we want for a specific CHILD_SA, might come in handy sometime. Same for
get_dpd_action().
> can be used to set and retrieve information on whether the child is
> going to be deleted by the peer, so that the SAs delete action is going
> to be ignored.
I've added the same functionality based on the new setter.
Many thanks for the patches.
Best regards
Martin
More information about the Dev
mailing list