[strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs
Tobias Brunner
tobias at strongswan.org
Tue Mar 20 09:55:02 CET 2012
Hi Anand,
> On my environment there is no support for kernel-netlink interface
> for IPsec,
>
> I have to use kernel-pfkey interface only as I have my hooks
> registered in PFKEY to XFRM for IPsec.
>
> I have tried latest versions of strongswan (4.5.1 and 4.5.3) both
> resulted in kernel panic after running for a while. I think there is
> not much support for kernel-pfkey plugin in latest strtongswan
> versions, and since latest versions require kernel-netlink plugin to
> function properly migrating to newer versions might be not helpful in
> my case.
You actually need both plugins on Linux, even if using kernel-pfkey to
install IPsec SAs and policies. The reason for this is that the
kernel-netlink plugin also implements the kernel_net_t interface which
is used for address and route lookups etc. You can enable both plugins,
the kernel-pfkey plugin is then loaded first by default (otherwise make
sure it is loaded first), which means that its kernel_ipsec_t
implementation is used while the kernel-netlink plugin can still provide
the required kernel_net_t implementation.
Regards,
Tobias
More information about the Users
mailing list