I was using the make before break feature of strongswan to avoid packet
loss in one of our implementation.

We have an ipsec offload hardware that forwards packets encrypted/decrypted
using IPSec policies and SAs.
These SAs and policies are configured by intercepting the strongswan
messages to kernel (via pfkey socket).
There used to be huge packet loss during rekey because of ike and child SAs
tear down before new SAs installed.

make_before_break feature, reduced the packet loss significantly but not
avoided it. I saw the following sequence of
PFKEY messages SADB_ADD(new child SA add), SADB_X_SPDUPDATE (update the
policy to new child SA) and
SADB_DELETE(delete old child SA).

The initiator after establishing new CHILD_SA, sending the delete
CHILD_SA(old) message to peer and
receiving the delete CHILD_SA request from peer. Initiator, even after
deleting its CHILD_SA, seeing some in-flight
packets from peer encrypted using old child SA there by dropping them.

How does initiator and responder synchronized in strongswan? Will "make
before break" completely avoids the packet loss?

Users mailing list

Reply via email to