I was using make_before_break feature in recent strongswan version to avoid 
packet loss during rekey.


In one of our implementation, we have an ipsec dataplane offload hardware. A 
kernel module is used to intercept the strong swan messages to kernel's 
SAD/SPD, via PFKEY, for feeding to hardware.


In make_before_break case I see an insertion of SA(new CHILD_SA establishment), 
updation of policy and delete of SA(old CHILD_SA closing). I want to understand 
how do you ensure that the packets encrypted using the old CHILD_SA, be 
processed at the peer successfully before old SAs are deleted?


Thanks

Pradeep.
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to