Hi: I'm sure you've all seen this error message. At some point a patch was applied to change the offending update to an add if the error occured. This is wrong because some updates do not contain keying material. Moreover, the add too can fail if the SPI has already been reallocated to another SA.
The whole point of the get_spi + update procedure is to guarantee the SPI uniqueness. So you can't just replace the update with an add if the SA generated by get_spi expires. Anyway, the root cause of these messages is a setting of the sysctl xfrm_acq_expires that is too low compared to the timeout setting of libreswan. In particular, the default setting of 30 is designed so that your entire IKE exchange should complete within 30 seconds, which incidentally is what racoon uses to determine an IKE timeout. For libreswan, I suggest that you increase this parameter to a more appropriate value. I haven't done the calculations but strongswan sets it to 165 which seems to be appropriate. Cheers, -- Email: Herbert Xu <[email protected]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
