[strongSwan] Packets dropped during CHILD SA rekeying

Emeric POUPON emeric.poupon at stormshield.eu
Wed Apr 29 09:31:07 CEST 2015

No idea on this topic?

It seems to be related to: https://wiki.strongswan.org/issues/839#note-1
(but in FreeBSD we use the old sa by default)


----- Mail original -----
De: "Emeric POUPON" <emeric.poupon at stormshield.eu>
À: users at lists.strongswan.org
Envoyé: Jeudi 16 Avril 2015 15:33:37
Objet: [strongSwan] Packets dropped during CHILD SA rekeying


Using FreeBSD 9.3, strongSwan 5.2.2

We're experiencing some dropped packets while CHILD SA are being rekeyed.

When rekeying a CHILD SA, we create a new set of IPsec SA, with new inbound/outbound spi in the kernel.
Once done, we have two pairs of IPsec SA living in the kernel, and we still use the old one due to the default FreeBSD behavior (sysctl "net.key.preferred_oldsa=1")

Then we delete the old IPsec SA pair:
- we first send a DELETE
- on the ack reception we delete the old entries in the kernel.

In the meanwhile we use the old outbound SA: the remote host deletes the old inbound SA and drops further packets.

If we set preferred_oldsa=0, the very same issue seems to occur during the SA establishment in the kernel.

A solution may be to delete the old outbound SA when sending the DELETE, and delete the old inbound SA when receiving the ack (or maybe some time later?)

What do you think?


Users mailing list
Users at lists.strongswan.org

More information about the Users mailing list