Hi Folks, I'm sorry to post a little off-topic, but I need help from real experts as I can't seem to find any information about this issue on the web.
I am working on a C++ project where it is necessary to establish IPsec SAs with ESP and rapidly change the encryption key. To accomplish this I'm using Netlink/XFRM messages to alter the SAD Right now I'm deleting the corresponding SA and creating a new one (XFRM_MSG_DELSA and subsequent XFRM_XFRM_MSG_NEWSA) to update the key. This seems a little bit clumsy to me. Is there a better way to do this? I've tried to use NLM_F_REPLACE in the Netlink message flags and XFRM_MSG_UPDSA as message type but these messages had simply no effect (Not even a Netlink error message). I've seen XFRM_MSG_UPDSA being used to complete SAs initiated by XFRM_MSG_ALLOCSPI messages from state larval to mature. Is this the only purpose for XFRM_MSG_UPDSA-type messages or may I use them somehow to alter encryption keys? As the keys have to change rapidly (as stated above), performance is a factor. Therefore I want to strain my system with the smallest amount of administrative IPsec (=Netlink/XFRM) operations as possible. Any help from the IPsec dev sages is highly appreciated :) Thanks and cheers, Stefan _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
