Hi Anand, wrt RFC 4306 Page 22:
If the two ends have the same lifetime policies, it is possible that both will initiate a rekeying at the same time (which will result in redundant SAs). To reduce the probability of this happening, the timing of rekeying requests SHOULD be jittered (delayed by a random amount of time after the need for rekeying is noticed). Not a concrete suggestion, but to make sure that, strongswan 4.3(.6) is not having any bug (or improper handling) to gitter rekeymargin. Can it be searched quickly in git tree (for any such commit)? Second, after reading few following paragraphs (and importantly last para of Sec2.8), the timing window for rekeymargin is also associated to CREATE_CHILD_SA request handled by rekey responder. You may need to look closely in charon.log at this situation. I also observed that, you are setting keyingtries=1. Can it be the default 3 and tried once again, if there is any packet drop observed ? Thanks, Gowri Shankar On Tuesday 20 March 2012 06:24 PM, anand rao wrote: > Hi Tobias, > > I have already enabled both kernel-pfkey and kernel-netlink plugins. Both > the plugins are loaded. > This was suggested by Andreas for my earlier query about pfkey plugin usage > for IKEv1. > > Since 4.5.3 is causing kernel-panic in my environment for unknown reasons, i > want to resolve > the redundant child SA issue on 4.3.6. Please suggest me in resolving this > issue. > > Thanks, > Anand > > ----- Original Message ----- > From: Tobias Brunner<tob...@strongswan.org> > To: anand rao<anandrao...@yahoo.co.in> > Cc: "users@lists.strongswan.org"<users@lists.strongswan.org> > Sent: Tuesday, March 20, 2012 2:25 PM > Subject: Re: [strongSwan] Charon hangs after failing to delete Rekeyed IPsec > SAs > > Hi Anand, > >> On my environment there is no support for kernel-netlink interface >> for IPsec, >> >> I have to use kernel-pfkey interface only as I have my hooks >> registered in PFKEY to XFRM for IPsec. >> >> I have tried latest versions of strongswan (4.5.1 and 4.5.3) both >> resulted in kernel panic after running for a while. I think there is >> not much support for kernel-pfkey plugin in latest strtongswan >> versions, and since latest versions require kernel-netlink plugin to >> function properly migrating to newer versions might be not helpful in >> my case. > You actually need both plugins on Linux, even if using kernel-pfkey to > install IPsec SAs and policies. The reason for this is that the > kernel-netlink plugin also implements the kernel_net_t interface which > is used for address and route lookups etc. You can enable both plugins, > the kernel-pfkey plugin is then loaded first by default (otherwise make > sure it is loaded first), which means that its kernel_ipsec_t > implementation is used while the kernel-netlink plugin can still provide > the required kernel_net_t implementation. > > Regards, > Tobias > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users