[strongSwan] Effect of xfrm_acq_expires mismatch retransmit timeout?

Michael Schwartzkopff ms at sys4.de
Fri May 29 15:41:15 CEST 2020


what would be the effect if the charon.plugins.xfrm_acq_expires does not
fit the charon.retransmit_* options?

I tried to understand what the xfrm_acq_expires exactrly does, but the
docs in the internet are very limited. As far as I understood, it sets a
timer when the SPI times out. Every time, traffic is seens for a SPI,
the timer is reset (?)

If the total retransmit timeout is larger than the xfrm_acq_expired,
could it happen that the SPI timed out before charon times out and the
encrypted communication breaks?

Or is there any good timing diagram for encrytped traffic though the kernel?

Mit freundlichen Grüßen,


[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200529/7e4f773b/attachment.sig>

More information about the Users mailing list