[strongSwan-dev] Packets loss during rekey

Avinoam Meir avinoam at google.com
Wed Jan 27 14:45:48 CET 2016

Hello StrongSwan devs,

I have question/proposal about CHILD SAs rekey:
If I understand correctly, today in rekey task, after creating the  new
CHILD SA,  immediately delete task is created and executed. (see here

This can cause packets loss If the peer gateway sends ESP packets in
parallel to the rekey, so there are some old ESP packet on the network.

Maybe StrongSwan can defer the call to kerne_interface->del_sa() for the
inbound CHILD SA (only), so the kernel continue to process esp packets for
the old  SAs for a while, and prevent the packet loss.

What do you think?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160127/984544b6/attachment.html>

More information about the Dev mailing list