[strongSwan] forcing a child SA rekey via Netlink or CLI

Dmitry Shubin shubin at rnd.stcnet.ru
Thu Nov 26 22:47:09 CET 2015 

Hi, Colin.

I think you're looking for
ipsec stroke rekey <ID>
where <ID> is the id string of your SA as shown in the output of "ipsec 
statusall". AFAIK it's undocumented and you have to dig through the 
source code to learn about it.

Example:
ipsec stroke rekey 'myconn{23}' # <-- Child SA rekey
ipsec stroke rekey 'myconn[17]' # <-- IKE SA rekey

On 2015-11-26 23:30, Colin Benson wrote:
> Hi.
> 
> I am having trouble forcing a rekey of an IPsec/child SA. I've
> tried two methods so far. First, I tried constructing a Netlink
> message, in the hope that the kernel would reflect it back to
> Strongswan. That didn't work, though it could well be that
> there's something wrong with my message. I haven't seen any
> diagnostic output from the kernel to indicate what I might have
> done wrong. And there's no indication of my XFRM_MSG_EXPIRE
> in the charon logfile.
> 
> So I thought I'd try the various CLIs. The problem now is that I
> cannot create a new child SA without first killing the existing
> one. That's suboptimal because of course it will create traffic
> drops.
> 
> For example:
> 
> v at vm-s2s11242-2:~$ sudo /usr/sbin/swanctl --initiate --child
> peer-10.10.2.3-tunnel-1
> [ENC] generating QUICK_MODE request 1222671508 [ HASH SA No KE ID ID ]
> 
> [NET] sending packet: from 10.10.2.2[500] to 10.10.2.3[500] (380
> bytes)
> [NET] received packet: from 10.10.2.3[500] to 10.10.2.2[500] (380
> bytes)
> [ENC] parsed QUICK_MODE response 1222671508 [ HASH SA No KE ID ID ]
> [CFG] unable to install policy 10.10.1.0/24 === 10.10.3.0/24 out (mark
> 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
> [CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 in (mark
> 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
> [CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 fwd (mark
> 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
> [CFG] unable to install policy 10.10.1.0/24 === 10.10.3.0/24 out (mark
> 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
> [CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 in (mark
> 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
> [CFG] unable to install policy 10.10.3.0/24 === 10.10.1.0/24 fwd (mark
> 0/0x00000000) for reqid 16, the same policy for reqid 15 exists
> [IKE] unable to install IPsec policies (SPD) in kernel
> initiate failed: establishing CHILD_SA 'peer-10.10.2.3-tunnel-1'
> failed
> 
> So, what should I do next?
> 
> Thanks
> 
> c​
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list