[strongSwan-dev] Phase 2 rekeying using different physical channel

Igor Lopez Orbe igorlor at gmail.com
Fri Jul 13 11:01:12 CEST 2012


Thanks for your answer.

> What do you mean by a different physical channel? What about Phase 1?

>> If the plugin interface has direct access to PF_KEY i guess it would be
>> possible, am i right?
> We have an abstraction layer for SAD/SPD management, called
> kernel_interface_ipsec. We have different plugins providing an
> implementation, including one for Netlink and one for PF_KEY. But I
> don't understand how PF_KEY is related to your separated Phase 2
> rekeying...
> Regards
> Martin

I would like to be able to use another channel for child_sa rekeying.
The scenario would be one regular connection for data exchange and
then do child rekeying key exchange using another secure channel
(provided by an external device, for example QKD device). That' s why
I need access to PF_KEY, to intercept the expire message from kernel,
do the new key exchange through external secure channel and then send
back to kernel new key to update SADB.
As the key exchange channel will be secure channel i dont really need
Phase 1 I guess, but i think it will be easier to change only phase 2
intercepting kernel messages and providing new keys for ESP and AH.

IDo you think it would be possible to do it with a plugin or I should
change charon?



More information about the Dev mailing list