[strongSwan-dev] How to best conduct a cipher key update?

Marksteiner, Stefan stefan.marksteiner at joanneum.at
Fri Nov 15 00:11:14 CET 2013

Hi Folks,

I'm sorry to post a little off-topic, but I need help from real experts as I can't seem to find any information about this issue on the web.

I am working on a C++ project where it is necessary to establish IPsec SAs with ESP and rapidly change the encryption key. To accomplish this I'm using Netlink/XFRM messages to alter the SAD
Right now I'm deleting the corresponding SA and creating a new one (XFRM_MSG_DELSA and subsequent XFRM_XFRM_MSG_NEWSA) to update the key. This seems a little bit clumsy to me.

Is there a better way to do this?

 I've tried to use NLM_F_REPLACE in the Netlink message flags and XFRM_MSG_UPDSA as message type but these messages had simply no effect (Not  even a Netlink error message). I've seen XFRM_MSG_UPDSA being used to complete SAs initiated by XFRM_MSG_ALLOCSPI messages from state larval to mature.

Is this the only purpose for XFRM_MSG_UPDSA-type messages or may I use them somehow to alter encryption keys?

As the keys have to change rapidly (as stated above), performance is a factor. Therefore I want to strain my system with the smallest amount of administrative IPsec (=Netlink/XFRM) operations as possible.

Any help from the IPsec dev sages is highly appreciated :)

Thanks and cheers,


More information about the Dev mailing list