Hi I was using the make before break feature of strongswan to avoid packet loss in one of our implementation.
We have an ipsec offload hardware that forwards packets encrypted/decrypted using IPSec policies and SAs. These SAs and policies are configured by intercepting the strongswan messages to kernel (via pfkey socket). There used to be huge packet loss during rekey because of ike and child SAs tear down before new SAs installed. make_before_break feature, reduced the packet loss significantly but not avoided it. I saw the following sequence of PFKEY messages SADB_ADD(new child SA add), SADB_X_SPDUPDATE (update the policy to new child SA) and SADB_DELETE(delete old child SA). The initiator after establishing new CHILD_SA, sending the delete CHILD_SA(old) message to peer and receiving the delete CHILD_SA request from peer. Initiator, even after deleting its CHILD_SA, seeing some in-flight packets from peer encrypted using old child SA there by dropping them. How does initiator and responder synchronized in strongswan? Will "make before break" completely avoids the packet loss? Thanks Pradeep.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users