[strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

Tobias Brunner tobias at strongswan.org
Tue Mar 20 09:55:02 CET 2012

Hi Anand,

> On my environment there is no support for kernel-netlink interface
> for IPsec,
> I have to use kernel-pfkey interface only as I have my hooks
> registered in PFKEY to XFRM for IPsec.
> I have tried latest versions of strongswan (4.5.1 and 4.5.3) both
> resulted in kernel panic after running for a while. I think there is
> not much support for kernel-pfkey plugin in latest strtongswan
> versions, and since latest versions require kernel-netlink plugin to
> function properly migrating to newer versions might be not helpful in
> my case.

You actually need both plugins on Linux, even if using kernel-pfkey to
install IPsec SAs and policies.  The reason for this is that the
kernel-netlink plugin also implements the kernel_net_t interface which
is used for address and route lookups etc.  You can enable both plugins,
the kernel-pfkey plugin is then loaded first by default (otherwise make
sure it is loaded first), which means that its kernel_ipsec_t
implementation is used while the kernel-netlink plugin can still provide
the required kernel_net_t implementation.


More information about the Users mailing list