Christophe, > Insert new ike_sas in the sa table as soon as they are created in > checkout_new.
Thanks for your patch. Unfortunately, it is not unproblematic. The problem is that checkout_new() is called from threads holding another IKE_SA, for example during rekeying. This results in the situation that a thread holds two IKE_SAs, which breaks the golden rule to avoid deadlocks. If I remember correctly, some years ago we explicitly changed the behavior to register the IKE_SA not before check-in to exactly avoid dead-locks resulting from this behavior. I don't know if there is a better fix for this issue, but I don't think there really is one needed. Under high load, packet drops can occur. This are not ideal, but it will happen anyway. Retransmission should take care that the SA comes up nonetheless. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
