[strongSwan] understanding make before break flag
Nalla, Pradeep
Pradeep.Nalla at cavium.com
Mon Oct 17 15:09:59 CEST 2016
I was using make_before_break feature in recent strongswan version to avoid packet loss during rekey.
In one of our implementation, we have an ipsec dataplane offload hardware. A kernel module is used to intercept the strong swan messages to kernel's SAD/SPD, via PFKEY, for feeding to hardware.
In make_before_break case I see an insertion of SA(new CHILD_SA establishment), updation of policy and delete of SA(old CHILD_SA closing). I want to understand how do you ensure that the packets encrypted using the old CHILD_SA, be processed at the peer successfully before old SAs are deleted?
Thanks
Pradeep.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161017/5a29bae4/attachment.html>
More information about the Users
mailing list