aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--man/strongswan.conf.5.in5
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c16
2 files changed, 15 insertions, 6 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 9ee82f594..ff7d8ef58 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -626,6 +626,11 @@ Set MTU of ipsecN device
.BR charon.plugins.kernel-netlink.roam_events " [yes]"
Whether to trigger roam events when interfaces, addresses or routes change
.TP
+.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
+Lifetime of XFRM acquire state in kernel, value gets written to
+/proc/sys/net/core/xfrm_acq_expires. Indirecly controls the delay of XFRM
+acquire messages sent.
+.TP
.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
Time in ms to wait until virtual IP addresses appear/disappear before failing.
.TP
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 83f93ec68..e06c8eaa9 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -76,6 +76,9 @@
/** Default replay window size, if not set using charon.replay_window */
#define DEFAULT_REPLAY_WINDOW 32
+/** Default lifetime of an acquire XFRM state (in seconds) */
+#define DEFAULT_ACQUIRE_LIFETIME 165
+
/**
* Map the limit for bytes and packets to XFRM_INF by default
*/
@@ -2631,7 +2634,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
{
private_kernel_netlink_ipsec_t *this;
bool register_for_events = TRUE;
- int fd;
+ FILE *f;
INIT(this,
.public = {
@@ -2673,12 +2676,13 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
register_for_events = FALSE;
}
- /* disable lifetimes for allocated SPIs in kernel */
- fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
- if (fd > 0)
+ f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
+ if (f)
{
- ignore_result(write(fd, "165", 3));
- close(fd);
+ fprintf(f, "%u", lib->settings->get_int(lib->settings,
+ "%s.plugins.kernel-netlink.xfrm_acq_expires",
+ DEFAULT_ACQUIRE_LIFETIME, hydra->daemon));
+ fclose(f);
}
this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 09:09:52 +0000