No idea on this topic? It seems to be related to: https://wiki.strongswan.org/issues/839#note-1 (but in FreeBSD we use the old sa by default)
Emeric ----- Mail original ----- De: "Emeric POUPON" <[email protected]> À: [email protected] Envoyé: Jeudi 16 Avril 2015 15:33:37 Objet: [strongSwan] Packets dropped during CHILD SA rekeying Hello, Using FreeBSD 9.3, strongSwan 5.2.2 We're experiencing some dropped packets while CHILD SA are being rekeyed. When rekeying a CHILD SA, we create a new set of IPsec SA, with new inbound/outbound spi in the kernel. Once done, we have two pairs of IPsec SA living in the kernel, and we still use the old one due to the default FreeBSD behavior (sysctl "net.key.preferred_oldsa=1") Then we delete the old IPsec SA pair: - we first send a DELETE - on the ack reception we delete the old entries in the kernel. In the meanwhile we use the old outbound SA: the remote host deletes the old inbound SA and drops further packets. If we set preferred_oldsa=0, the very same issue seems to occur during the SA establishment in the kernel. A solution may be to delete the old outbound SA when sending the DELETE, and delete the old inbound SA when receiving the ack (or maybe some time later?) What do you think? Emeric _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
