[strongSwan] liveness mechanism for BITW IPsec
ABULIUS, MUGUR (MUGUR)
mugur.abulius at alcatel-lucent.com
Mon Aug 4 13:33:54 CEST 2014
> I assume you are using a custom kernel backend for ESP processing?
We are not using a custom kernel backend.
Our application uses the netlink socket interface and
sets-up the cryptographic HW engine with SA events from strongSwan.
The Linux parameters disable_xfrm and disable_policy are set to 1.
From: Martin Willi [mailto:martin at strongswan.org]
Sent: lundi 4 août 2014 11:36
To: ABULIUS, MUGUR (MUGUR)
Cc: users at lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); DIMA, CIPRIAN (CIPRIAN); WASNIEWSKI, ALAIN (ALAIN)
Subject: Re: [strongSwan] liveness mechanism for BITW IPsec
> There is any way to "tell" to strongSwan that there is traffic in
> order to avoid sending INFORMATIONAL messages in this case?
strongSwan queries the kernel-interface for SA usage. If you are using kernel-netlink as backend, Linux usually provides this information when querying the SA/SP state.
> In our Bump In The Wire IPsec implementation
I assume you are using a custom kernel backend for ESP processing? If yes, you may consider adding the appropriate information in your kernel interface when quering usage statistics with query_sa() or query_policy().
More information about the Users