Hi Emeric, > Could you please provide some further explanation about this commit you > made some time ago? [...] 6ad787ca54ba8f51dce8311dc8bb012a04581b96
With the reqid allocation changes introduced in 5.3.3, we now try to reuse reqid for identical tunnels. This allows us to better support multiple tunnels with the same selectors, as all available SAs are valid for the single SP instance shared by the tunnels. Unfortunately, due to traffic selector narrowing in IKEv2 we don't know the traffic selectors when we allocate a SPI in the kernel. This implies that we can't allocate (or reuse) a reqid for that selector in that stage. At least with Linux, we can't update the reqid for an allocated SPI, so we must reinstall the SA with the same SPI once we know the reqid. In this patch we do this by deleting the SA associated to the allocated SPI, and then install SAs in both directions (not doing an update for the inbound SA). > (We have some patch in the kernel that assume the SADB_GETSPI message > is always related to an inbound SA and the SADB_ADD message is always > related to an outbound SA) You may try to go through another alloc/update cycle for the inbound SPI after deleting it. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
