[strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

anand rao anandrao_me at yahoo.co.in
Tue Mar 20 13:54:05 CET 2012

Hi Tobias,

  I have already enabled both kernel-pfkey and kernel-netlink plugins. Both the plugins are loaded.
 This was suggested by Andreas for my earlier query about pfkey plugin usage for IKEv1.

Since 4.5.3 is causing kernel-panic in my environment for unknown reasons, i want to resolve
the redundant child SA issue on 4.3.6. Please suggest me in resolving this issue.


----- Original Message -----
From: Tobias Brunner <tobias at strongswan.org>
To: anand rao <anandrao_me at yahoo.co.in>
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
Sent: Tuesday, March 20, 2012 2:25 PM
Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec SAs

Hi Anand,

> On my environment there is no support for kernel-netlink interface
> for IPsec,
> I have to use kernel-pfkey interface only as I have my hooks
> registered in PFKEY to XFRM for IPsec.
> I have tried latest versions of strongswan (4.5.1 and 4.5.3) both
> resulted in kernel panic after running for a while. I think there is
> not much support for kernel-pfkey plugin in latest strtongswan
> versions, and since latest versions require kernel-netlink plugin to
> function properly migrating to newer versions might be not helpful in
> my case.

You actually need both plugins on Linux, even if using kernel-pfkey to
install IPsec SAs and policies.  The reason for this is that the
kernel-netlink plugin also implements the kernel_net_t interface which
is used for address and route lookups etc.  You can enable both plugins,
the kernel-pfkey plugin is then loaded first by default (otherwise make
sure it is loaded first), which means that its kernel_ipsec_t
implementation is used while the kernel-netlink plugin can still provide
the required kernel_net_t implementation.


More information about the Users mailing list