[strongSwan-dev] Removed SA/policies flush from starter

Tobias Brunner tobias at strongswan.org
Thu Jun 30 15:05:55 CEST 2016 

> Well, if the daemon crashes it restarts in a desynchronized state with the kernel, which is difficult to debug/monitor.
> Examples:
> - there is some IPsec traffic for quite a long time but charon has no IKE SA negotiated (no stat, no monitoring available using charon),
> - if you perform a config reload just after a crash and the connection is no longer in the configuration, you will end up with the previous SA not flushed (we have a patch to remove the IKE SA/CHILD SA on deleted connections),
> - if you perform an "ipsec stop" after a crash, nothing is done.

So you expect charon to crash regularly?  My stance is that it should
basically never crash.  And starter previously did actually not flush
the kernel state when it restarted the daemon after a crash (it only did
so when terminating).  I don't really see a problem with 1, actually I
think it's better everything stays in place until an SA might get
replaced with a new one (avoids interruptions).  2 seems a bit
contrived.  And 3 can just as easily be handled by calling a separate
command to flush the kernel state.

> We could imagine an option (disabled by default) to enable this flush during startup?

Sure, if you think it's worthwhile.  On FreeBSD you could actually use
charon.start-scripts to implement this:

  charon {
    start-scripts {
      flush-policies = setkey -FP
      flush-sas = setkey -F
    }
  }

This doesn't work on Linux as the scripts run after the plugins have
been initialized so `ip xfrm` would flush the bypass policies set on the
UDP sockets used by the daemon.  On FreeBSD PF_KEY apparently can't
manage socket specific policies.  One problem could be, though, that
starter might send the connections before the scripts are executed
(starter waits for the PID file to appear, which happens even before the
plugins are loaded), so there is a potential race if you use trap
policies.  But you could switch to swanctl and run the command to load
the connections after the ones above.

Regards,
Tobias

More information about the Dev mailing list