[strongSwan] unable to install policy
Raoul Duke
rduke496 at gmail.com
Mon Nov 17 16:33:35 CET 2014
Martin,
Thanks so much for your detailed response.
On Mon, Nov 17, 2014 at 9:02 AM, Martin Willi <martin at strongswan.org> wrote:
>
> It currently is unclear to me why there is such a conflict, and how that
> old SA is related to the new one. If the old one is some left-over from
> the same client, reverting that patch might help to work-around the
> issue. Possible that this is some kind of race condition, i.e. a virtual
> IP gets re-assigned before the related policies could be deleted from
> the kernel.
I decided to try removing the discussed patch to see what impact it has:
https://wiki.strongswan.org/projects/strongswan/repository/revisions/1551d8b13d14028fc26fb1a363c33aa3a1200882
Would you recommend that I revert the entire patch or just the section
relating to the "unable to install policy..." early return.
For example I'm unsure if I should revert this bit:
- tmpl->reqid = ipsec->cfg.reqid;
+ tmpl->reqid = policy->reqid;
>
> To improve the situation in the long term, I'm currently working on a
> global reqid allocation mechanism. That should avoid such conflicts in
> most cases, as we reuse the reqid for the same selectors. The
> development is done in a separate branch [1]. This is currently
> experimental, as the changes are rather large, but the plan is to merge
> that for the next release.
Sounds good.
Thanks.
More information about the Users
mailing list