On Sat, 11 Apr 2015, Herbert Xu wrote:
Subject: [Swan-dev] ERROR: netlink response for Add SA ... included errno 3:
No such process
I'm sure you've all seen this error message. At some point a
patch was applied to change the offending update to an add if
the error occured.
If I remember correctly that was needed because sometimes the kernel
deletes an SA, and if we call update it fails if there is nothing
to update.
This is wrong because some updates do not
contain keying material.
I don't understand this. Can you explain what the problem is for those
SA's ?
Moreover, the add too can fail if the
SPI has already been reallocated to another SA.
By whom? We assume we are the only IKE daemon running and the only
entity requesting SPI's from the kernel. Anything else is madness.
The whole point of the get_spi + update procedure is to guarantee
the SPI uniqueness. So you can't just replace the update with
an add if the SA generated by get_spi expires.
I'll have to think about this a bit more...
Anyway, the root cause of these messages is a setting of the
sysctl xfrm_acq_expires that is too low compared to the timeout
setting of libreswan. In particular, the default setting of
30 is designed so that your entire IKE exchange should complete
within 30 seconds, which incidentally is what racoon uses to
determine an IKE timeout.
Yes, current git has switched to libevent and subsecond retransmits
and timeouts, so we will fall within that 30 second time window as
well.
For libreswan, I suggest that you increase this parameter to
a more appropriate value. I haven't done the calculations but
strongswan sets it to 165 which seems to be appropriate.
Almost 3 minutes? That seems very long.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
