Hi ,I modifiedthe strongswan (5.0.4) code to bypass the strongSwan's IPsec
Linux kernelinterface. I implemented so that, the IPsecSAs can be inserted and
deleted on the active tunnels can be retrieved from thedata plane (NPU) which
does the actual ESP encryption and decryption work.Each IPsecSA in the Linux
kernel has a lifetime configuration consisting of both a softand a hard limit
for the time. Each time one of the soft or hard limits isreached, the Linux
kernel generates an XFRM_MSG_EXPIRE message to which the Charondaemon processes
as follows 1. If a soft limit was reached then aCHILD_SA rekeying job is
scheduled job =(job_t*)rekey_child_sa_job_create(reqid, proto, spi); 2. If a
hard limit is reached , then theCHILD_SA is deleted job =
(job_t*)delete_child_sa_job_create(reqid,proto, spi); Since I havebypassed the
kernel , Can I do the followings in install function (defined inchild_sa.c) for
rekeying of Child SA ? u_int64_tsoft_add_expires_seconds = 0;job_t
*job;soft_add_expires_seconds= lifetime->time.rekey;if
(soft_add_expires_seconds> 0){ job
=(job_t*)rekey_child_sa_job_create(this->reqid,proto_ike2ip(this->protocol),spi);
lib->scheduler->schedule_job(lib->scheduler,job,soft_add_expires_seconds *
1000);lib->processor->queue_job(lib->processor,job);}I think, theIPsec peer
will start the Child SA re-key, when the lifetime hits the value setin
soft_add_expires_seconds. Through the Scheduler it is possible to schedulejobs
for an execution in the future. The Scheduler has internally a heap inwhich he
stores the scheduled jobs ordered by the time when they have to beexecuted.
Similarly when if a hard limit is reached, then the CHILD_SA shouldbe deleted
via delete_child_sa_job_create job. Please feelfree to correct me if I am
wrong.Regards,Chinmaya_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
