[strongSwan] unable to install policy

Raoul Duke rduke496 at gmail.com
Mon Nov 17 16:33:35 CET 2014


Thanks so much for your detailed response.

On Mon, Nov 17, 2014 at 9:02 AM, Martin Willi <martin at strongswan.org> wrote:
> It currently is unclear to me why there is such a conflict, and how that
> old SA is related to the new one. If the old one is some left-over from
> the same client, reverting that patch might help to work-around the
> issue. Possible that this is some kind of race condition, i.e. a virtual
> IP gets re-assigned before the related policies could be deleted from
> the kernel.

I decided to try removing the discussed patch to see what impact it has:


Would you recommend that I revert the entire patch or just the section
relating to the "unable to install policy..." early return.

For example I'm unsure if I should revert this bit:
- tmpl->reqid = ipsec->cfg.reqid;
+ tmpl->reqid = policy->reqid;

> To improve the situation in the long term, I'm currently working on a
> global reqid allocation mechanism. That should avoid such conflicts in
> most cases, as we reuse the reqid for the same selectors. The
> development is done in a separate branch [1]. This is currently
> experimental, as the changes are rather large, but the plan is to merge
> that for the next release.

Sounds good.


More information about the Users mailing list