[strongSwan-dev] [PATCH] kernel-netlink: Allow to override xfrm_acq_expires value

Ansis Atteka aatteka at nicira.com
Mon Sep 23 06:21:39 CEST 2013 

When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.

This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.

Signed-off-by: Ansis Atteka <aatteka at nicira.com>
---
 man/strongswan.conf.5.in                               |  4 ++++
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c      | 18 ++++++++++++------
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 9ee82f5..1a795fb 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -626,6 +626,10 @@ Set MTU of ipsecN device
 .BR charon.plugins.kernel-netlink.roam_events " [yes]"
 Whether to trigger roam events when interfaces, addresses or routes change
 .TP
+.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
+Delay between acquire requests in seconds. This is useful to bring up
+quicker IPsec tunnel when using auto=route
+.TP
 .BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
 Time in ms to wait until virtual IP addresses appear/disappear before failing.
 .TP
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 83f93ec..4544473 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -76,6 +76,9 @@
 /** Default replay window size, if not set using charon.replay_window */
 #define DEFAULT_REPLAY_WINDOW 32
 
+/** Delay between acquire requests (in seconds) */
+#define DEFAULT_ACQUIRE_DELAY 165
+
 /**
  * Map the limit for bytes and packets to XFRM_INF by default
  */
@@ -2631,7 +2634,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 {
 	private_kernel_netlink_ipsec_t *this;
 	bool register_for_events = TRUE;
-	int fd;
+	FILE *f;
 
 	INIT(this,
 		.public = {
@@ -2673,12 +2676,15 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 		register_for_events = FALSE;
 	}
 
-	/* disable lifetimes for allocated SPIs in kernel */
-	fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
-	if (fd > 0)
+	f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
+	if (f)
 	{
-		ignore_result(write(fd, "165", 3));
-		close(fd);
+		int xfrm_acq_expires = lib->settings->get_int(lib->settings,
+				"%s.plugins.kernel-netlink.xfrm_acq_expires",
+				DEFAULT_ACQUIRE_DELAY, hydra->daemon);
+
+		ignore_result(fprintf(f, "%u", xfrm_acq_expires));
+		fclose(f);
 	}
 
 	this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
-- 
1.8.1.2

More information about the Dev mailing list