[strongSwan] Rekeying of Child SA when the Linux kernel has been bypassed
Martin Willi
martin at strongswan.org
Wed Jan 28 12:06:48 CET 2015
Hi,
> Since I have bypassed the kernel , Can I do the followings in install
> function (defined in child_sa.c) for rekeying of Child SA ?
> job = (job_t*)rekey_child_sa_job_create(this->reqid,proto_ike2ip(this->protocol), spi);
> lib->scheduler->schedule_job(lib->scheduler, job,soft_add_expires_seconds * 1000);
If your IPsec backend does not raise expire events, you can use the
scheduler to trigger them. However, you shouldn't directly queue the
jobs, but instead call the expire() handler on the kernel interface,
which does all that for you.
For a clean code separation, that code should go to your custom kernel
backend, not the CHILD_SA. The kernel-wfp backend for example uses the
scheduler to trigger expire events, refer to [1] for the implementation
details.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c;h=39e37b1c;hb=HEAD#l2085
More information about the Users
mailing list