[strongSwan] Packets dropped during CHILD SA rekeying
emeric.poupon at stormshield.eu
Thu Apr 16 15:33:37 CEST 2015
Using FreeBSD 9.3, strongSwan 5.2.2
We're experiencing some dropped packets while CHILD SA are being rekeyed.
When rekeying a CHILD SA, we create a new set of IPsec SA, with new inbound/outbound spi in the kernel.
Once done, we have two pairs of IPsec SA living in the kernel, and we still use the old one due to the default FreeBSD behavior (sysctl "net.key.preferred_oldsa=1")
Then we delete the old IPsec SA pair:
- we first send a DELETE
- on the ack reception we delete the old entries in the kernel.
In the meanwhile we use the old outbound SA: the remote host deletes the old inbound SA and drops further packets.
If we set preferred_oldsa=0, the very same issue seems to occur during the SA establishment in the kernel.
A solution may be to delete the old outbound SA when sending the DELETE, and delete the old inbound SA when receiving the ack (or maybe some time later?)
What do you think?
More information about the Users