[strongSwan-dev] Packet loss during rekey

Tobias Brunner tobias at strongswan.org
Tue Apr 25 11:42:24 CEST 2017

Hi Emeric,

> It seems there is no more packet loss during the CHILD SA rekeying.

Thanks for the tests.

> However, I noticed some drop during the IKE SA reauthentication, depsite the make_before_break option set to yes.
> Is that the expected behavior?

I guess, I didn't change anything regarding reauthentication.  It's also
not that easy as the new IKE_SA that's built during a reauthentication
has no relationship to the existing one (like the two or more IKE_SAs
during a rekeying do), so synchronizing the uninstallation/destruction
of the associated CHILD_SAs is not really possible.  It's similar to
when an SA is first established, the responder is able to send ESP
packets before the initiator can actually process them.  This could only
be "resolved" by delaying the installation of the outbound SA on the
responder for a while after it responded to the IKE_AUTH (or
CREATE_CHILD_SA) message.  But even then, the response could get lost or
delayed and the responder might still install the SA before the
initiator installed its inbound SA.  During a reauthentication the same
thing occurs, i.e. the responder will install a new outbound SA with the
new IKE_SA and use it before the initiator installs the new inbound SA
when it receives the IKE_AUTH response.


More information about the Dev mailing list