[strongSwan-dev] SP update during CHILD SA rekeying

[Emeric POUPON]

Hello,

I am using FreeBSD and routed connections, and I noticed that charon keeps updating SPs during the CHILD SA rekey process.

netstat -s -p pfkey | grep update -> increasing during each CHILD SA rekey.

I can see things like this in the logs:

Apr 30 11:02:13 15[CHD] <TUNNEL|5> CHILD_SA TUNNEL{84} state change: CREATED => INSTALLING
Apr 30 11:02:13 15[CHD] <TUNNEL|5>   using AES_CBC for encryption
Apr 30 11:02:13 15[CHD] <TUNNEL|5>   using HMAC_SHA2_256_128 for integrity
Apr 30 11:02:13 15[CHD] <TUNNEL|5> adding inbound ESP SA
Apr 30 11:02:13 15[CHD] <TUNNEL|5>   SPI 0xccc45a9b, src 192.168.56.100 dst 192.168.56.110
Apr 30 11:02:13 15[KNL] <TUNNEL|5> deleting SAD entry with SPI ccc45a9b
Apr 30 11:02:13 15[KNL] <TUNNEL|5> deleted SAD entry with SPI ccc45a9b
Apr 30 11:02:13 15[KNL] <TUNNEL|5> adding SAD entry with SPI ccc45a9b and reqid {4}
Apr 30 11:02:13 15[KNL] <TUNNEL|5>   using encryption algorithm AES_CBC with key size 256
Apr 30 11:02:13 15[KNL] <TUNNEL|5>   using integrity algorithm HMAC_SHA2_256_128 with key size 256
Apr 30 11:02:13 01[JOB] watched FD 7 ready to read
Apr 30 11:02:13 15[CHD] <TUNNEL|5> registering outbound ESP SA
Apr 30 11:02:13 15[CHD] <TUNNEL|5>   SPI 0xcc124fd9, src 192.168.56.110 dst 192.168.56.100
Apr 30 11:02:13 01[JOB] watcher going to poll() 4 fds
Apr 30 11:02:13 15[KNL] <TUNNEL|5> policy 192.168.100.0/24 === 192.168.110.0/24 in already exists, increasing refcount
Apr 30 11:02:13 15[KNL] <TUNNEL|5> updating policy 192.168.100.0/24 === 192.168.110.0/24 in

Why does charon trigger a SP update in that case? Is there any relevant information to update since the SP are statically routed?

The problem is that there seems to be a race in FreeBSD: the SP is not really updated, it is removed and then a new one is added, and unfortunately this is not atomic.
Therefore some packets may leave using the default policy.

Emeric