diff options
| author | Thomas Egerer <thomas.egerer@secunet.com> | 2017-03-09 18:26:35 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2017-05-23 17:58:51 +0200 |
| commit | d140b3bd3f7ff6f6b7bdc5202bd0dee7f39fa699 (patch) | |
| tree | 1f0b03f5b19415dc9eb2a9cb4052e5089e97c9ae /src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c | |
| parent | bf08e39441f54466078ca81802a7482b3e8f91a2 (diff) | |
| download | strongswan-d140b3bd3f7ff6f6b7bdc5202bd0dee7f39fa699.tar.bz2 strongswan-d140b3bd3f7ff6f6b7bdc5202bd0dee7f39fa699.tar.xz | |
kernel-netlink: Try to add new inbound SA if update fails
When establishing a traffic-triggered CHILD_SA involves the setup of an
IKE_SA more than one exchange is required. As a result the temporary
acquire state may have expired -- even if the acquire expiration
(xfrm_acq_expires) time is set properly (165 by default). The expire
message sent by the kernel is not processed in charon since no trap can
be found by the trap manager.
A possible solution could be to track allocated SPIs. But since this is
a corner case and the tracking introduces quite a bit of overhead, it
seems much more sensible to add a new state if the update of a state
fails with NOT_FOUND.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Diffstat (limited to 'src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c')
0 files changed, 0 insertions, 0 deletions