[strongSwan] Rekeying of Child SA when the Linux kernel has been bypassed

Chinmaya Dwibedy ckdwibedy at yahoo.com
Wed Jan 28 12:51:02 CET 2015

Hi Martin,
Thank you for your suggestion and reference.

     On Wednesday, January 28, 2015 4:36 PM, Martin Willi <martin at strongswan.org> wrote:


> Since I have bypassed the kernel , Can I do the followings in install
> function (defined in child_sa.c) for rekeying of Child SA ? 
> job = (job_t*)rekey_child_sa_job_create(this->reqid,proto_ike2ip(this->protocol), spi);
> lib->scheduler->schedule_job(lib->scheduler, job,soft_add_expires_seconds * 1000);

If your IPsec backend does not raise expire events, you can use the
scheduler to trigger them. However, you shouldn't directly queue the
jobs, but instead call the expire() handler on the kernel interface,
which does all that for you.

For a clean code separation, that code should go to your custom kernel
backend, not the CHILD_SA. The kernel-wfp backend for example uses the
scheduler to trigger expire events, refer to [1] for the implementation



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/de84b092/attachment.html>

More information about the Users mailing list