[strongSwan] Effect of xfrm_acq_expires mismatch retransmit timeout?

Tobias Brunner tobias at strongswan.org
Tue Jun 2 09:58:51 CEST 2020

Hi Michael,
> xfrm_acq_expires is the time the kernel holds an acquire event before it drops it.

The kernel currently uses the same timeout for SPIs allocated from the
kernel for inbound SAs (as done before sending IKE_AUTH/CREATE_CHILD_SA
requests), which creates a temporary state that is later updated when
the SA's details are known and the keys are derived.  If it expired in
the mean time, it's theoretically possible that the SPI was reallocated
for another SA/request.  But since that's unlikely (the kernel allocates
them randomly) current versions of the daemon will attempt to install a
new SA with the same SPI if updating fails because the temporary state
has already expired.  This is also the reason why the default value for
xfrm_acq_expires set by the kernel-netlink plugin is based on the
configured retransmission timeout.  However, only for a single exchange.
 If e.g. IKE_AUTH requires multiple exchanges due to EAP, the SPI might
still expire before the IKE_SA does.


More information about the Users mailing list