[strongSwan] forcing a child SA rekey via Netlink or CLI
Colin Benson
cbenson at Brocade.com
Thu Nov 26 21:30:36 CET 2015
Hi.
I am having trouble forcing a rekey of an IPsec/child SA. I've
tried two methods so far. First, I tried constructing a Netlink
message, in the hope that the kernel would reflect it back to
Strongswan. That didn't work, though it could well be that
there's something wrong with my message. I haven't seen any
diagnostic output from the kernel to indicate what I might have
done wrong. And there's no indication of my XFRM_MSG_EXPIRE
in the charon logfile.
So I thought I'd try the various CLIs. The problem now is that I
cannot create a new child SA without first killing the existing
one. That's suboptimal because of course it will create traffic
drops.
For example:
v at vm-s2s11242-2:~$ sudo /usr/sbin/swanctl --initiate --child peer-10.10.2.3-tunnel-1
[ENC] generating QUICK_MODE request 1222671508 [ HASH SA No KE ID ID ]
[NET] sending packet: from 10.10.2.2[500] to 10.10.2.3[500] (380 bytes)
[NET] received packet: from 10.10.2.3[500] to 10.10.2.2[500] (380 bytes)
[ENC] parsed QUICK_MODE response 1222671508 [ HASH SA No KE ID ID ]
[CFG] unable to install policy 10.10.1.0/24 === 10.10.3.0/24 out (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
[CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 in (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
[CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 fwd (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
[CFG] unable to install policy 10.10.1.0/24 === 10.10.3.0/24 out (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
[CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 in (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
[CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 fwd (mark 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
[IKE] unable to install IPsec policies (SPD) in kernel
initiate failed: establishing CHILD_SA 'peer-10.10.2.3-tunnel-1' failed
So, what should I do next?
Thanks
c?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151126/1d9e0622/attachment.html>
More information about the Users
mailing list