[strongSwan] Problem with 'auto=start' on unused SA

Emeric POUPON emeric.poupon at stormshield.eu
Thu Jul 31 11:09:02 CEST 2014


Yes indeed, at least one packet is lost when using auto=route.

I discovered that FreeBSD does not properly handle SAs regarding the PFKEYV2 RFC:
1/ the SADB_EXPIRE (with soft extension) message is sent only if the soft lifetime is non-zero and the SA has been used. The RFC does not say it has to be used though.
-> Sending the SADB_EXPIRE message with soft extension even if the SA has not been used corrected my initial problem: the CHILD SA is rekeyed forever as I expected.

2/ the SADB_EXPIRE (with hard extension) message is never sent. Furthermore, the hard lifetime is not checked if the soft lifetime is set to 0, and the SA remains forever in the SAD.
-> Is sending the SADB_EXPIRE message with hard extension mandatory for strongswan to properly work?
-> AFAIK, a SADB_EXPIRE message has to be sent for both soft and hard lifetime timeout ?

Could you please tell me more about the strongswan logic regarding these messages?


----- Mail original -----
De: "Romain Francoise" <romain at orebokech.com>
À: "Martin Willi" <martin at strongswan.org>
Cc: users at lists.strongswan.org
Envoyé: Jeudi 31 Juillet 2014 10:17:47
Objet: Re: [strongSwan] Problem with 'auto=start' on unused SA

On Thu, Jul 31, 2014 at 09:42:07AM +0200, Martin Willi wrote:
> For always-up tunnels, I usually recommend to use auto=route. This makes
> sure no matching traffic leaves unencrypted, and the kernel will trigger
> a new SA should an existing one fail for whatever reason.

With the caveat that the packet which springs the trap is lost, at least
in current versions of Linux.
Users mailing list
Users at lists.strongswan.org

More information about the Users mailing list