small correction , strongswan call *expire* not migrate On Fri, 2 Apr 2021 at 15:07, Venumadhav Josyula via lists.fd.io <vjosyula= gmail....@lists.fd.io> wrote:
> Hi Benoit, > > Strongswan keeps track for whatever is required but kernel feeds the > relevant information via events. > > For *child sa*, in the kernel world, it is kernel which XFRM_EXPIRE > message via netlink. The strongswan is listening of netlink events for the > same. When it receives events from the kernel it processes expire and calls > the relevant 'charon->kernel->migrate'. > > Please note i am only talking about child sa rekey where kernel send > events, for IKE SA rekey the strongswan works on timer basis. > > Thanks, > Regards, > Venu > > On Fri, 2 Apr 2021 at 14:35, Benoit Ganne (bganne) <bga...@cisco.com> > wrote: > >> Hi Venu, >> >> I am not familiar with the kernel-vpp plugin you mention, however if I >> understand correctly your question is how strongSwan can know it must >> trigger a rekey because of time expiration or max bytes transferred? >> VPP IPsec does not manage SA lifetimes by itself, it is the >> responsibility of strongSwan (or any other IKE stack). strongSwan can keep >> track of time by itself, and regarding the max bytes limit, VPP exposes >> per-SA bytes counters, so strongSwan should poll those counters >> periodically and trigger a rekey if needed. >> Also, VPP comes with its own IKEv2 implementation (which does support >> lifetime management), you can find examples here: >> https://gerrit.fd.io/r/c/vpp/+/31414 >> >> Best >> ben >> >> > -----Original Message----- >> > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Venumadhav >> > Josyula >> > Sent: jeudi 1 avril 2021 18:05 >> > To: vpp-dev <vpp-dev@lists.fd.io> >> > Subject: [vpp-dev] child sa rekey >> > >> > Hi Vpp Ipsec Experts, >> > >> > I wanted to understand how child sa rekey ( lifetime) are handled in >> vpp. >> > i) We are using strongswan + kernel-vpp plugin for our ikev2 exchange. >> > ii) Now we are facing the issue child sa rekey, the problem child sa >> > rekey is not getting triggered. I understand, the strongswan needs to >> > trigger this. We triggered manually it works, but timeout of lifetime >> does >> > not work. Please also note there is no issue with IKE SA rekey timeout >> > expiry. >> > iii) for ii) in the kernel world while adding as these parameters such >> > lifetime are passed. And it is the kernel that triggers child sa rekey >> on >> > hard timer expiry. >> > iv) How do we pass these parameter lifetime cfg to the vpp, is it >> handled >> > or not handled. >> > >> > Please note we are using the vpp 20.09 release version for the same. >> > >> > Thank and regards >> > Venu >> > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19098): https://lists.fd.io/g/vpp-dev/message/19098 Mute This Topic: https://lists.fd.io/mt/81780992/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-