[strongSwan] active TCP connection hangs during rekeying
djr
dominiquej.ragot at laposte.net
Wed Jan 14 10:13:26 CET 2015
Dear strongswan experts,
I am using stronsgwan for some time now between two Linux hosts
(starting with version 4.4.1 on Debian, now using version 4.6.4) with
IKEv2 and it has been working very well in all use-cases I have ....
except one.
I have observed that if there are TCP connections with traffic during
rekeying whatever the side that triggers it (emitter or receiver), the
behavior is normal in tunnel mode (after rekeying traffic is resumed
with almost no delay) but not in transport mode (traffic is stalled for
indefinite time). More precisely the emitter TCP buffer accumulates
frames but for some _unknown_ reason it appears there is no further
tentative to re-emit them any further.
Is this a known behavior/limitation of transport mode ?
After having investigated in both strongswan and kernel codes I have
suspected some XFRM issue in the kernel but I do not have a clear view
of the sequence of xfrm routines there. I would like to trace and
compare the sequence of actions performed in tunnel mode vs transport
mode. How shall I proceed to make progress in this analysis ?
Kind Regards,
Dominique
More information about the Users
mailing list