[strongSwan-dev] Question about a commit on kernel pfkey plugin

Martin Willi martin at strongswan.org
Fri Nov 13 08:19:39 CET 2015

Hi Emeric,

> Could you please provide some further explanation about this commit you
> made some time ago? [...] 6ad787ca54ba8f51dce8311dc8bb012a04581b96

With the reqid allocation changes introduced in 5.3.3, we now try to
reuse reqid for identical tunnels. This allows us to better support
multiple tunnels with the same selectors, as all available SAs are valid
for the single SP instance shared by the tunnels.

Unfortunately, due to traffic selector narrowing in IKEv2 we don't know
the traffic selectors when we allocate a SPI in the kernel. This implies
that we can't allocate (or reuse) a reqid for that selector in that

At least with Linux, we can't update the reqid for an allocated SPI, so
we must reinstall the SA with the same SPI once we know the reqid. In
this patch we do this by deleting the SA associated to the allocated
SPI, and then install SAs in both directions (not doing an update for
the inbound SA).

> (We have some patch in the kernel that assume the SADB_GETSPI message
> is always related to an inbound SA and the SADB_ADD message is always
> related to an outbound SA)

You may try to go through another alloc/update cycle for the inbound SPI
after deleting it.


More information about the Dev mailing list