[strongSwan] packet loss during inline rekey

Emeric POUPON emeric.poupon at stormshield.eu
Fri Oct 21 10:46:59 CEST 2016


Packet loss during rekeying seems to be a recurrent subject for several years now.
Could some people of the dev team please tell more on this issue? https://wiki.strongswan.org/issues/1291

I would like to know whether it is too complicated or not to be done by somebody that is not part of the dev team.



----- Original Message -----
From: "Nalla, Pradeep" <Pradeep.Nalla at cavium.com>
To: users at lists.strongswan.org
Cc: "Nalla, Pradeep" <Pradeep.Nalla at cavium.com>
Sent: Friday, 21 October, 2016 09:29:40
Subject: [strongSwan] packet loss during inline rekey


Query regarding packet loss during rekey. I was using reauth=no for inline rekeying. After soft expiry, new CHILD_SA is negotiated, established and followed by the policy update on both the gateways. 

When does the old CHILD_SA gets deleted?. For my case it is deleted right after new SA establishment via INFORMATIONAL[D] request s messages exchanged between the gateways. How to have enough time between the new SA addition and old SA deletion. 

There is a brief packet loss at the rekey initiator due to not finding inbound SA (It has encountered the packets encrypted using old CHILD_SA). Is this loss expected? If not how can this be avoided? 



Users mailing list
Users at lists.strongswan.org

More information about the Users mailing list