[strongSwan] Rekeying of Child SA when the Linux kernel has been bypassed

Martin Willi martin at strongswan.org
Wed Jan 28 12:06:48 CET 2015


> Since I have bypassed the kernel , Can I do the followings in install
> function (defined in child_sa.c) for rekeying of Child SA ? 
> job = (job_t*)rekey_child_sa_job_create(this->reqid,proto_ike2ip(this->protocol), spi);
> lib->scheduler->schedule_job(lib->scheduler, job,soft_add_expires_seconds * 1000);

If your IPsec backend does not raise expire events, you can use the
scheduler to trigger them. However, you shouldn't directly queue the
jobs, but instead call the expire() handler on the kernel interface,
which does all that for you.

For a clean code separation, that code should go to your custom kernel
backend, not the CHILD_SA. The kernel-wfp backend for example uses the
scheduler to trigger expire events, refer to [1] for the implementation



More information about the Users mailing list