From 469083cc7dddb1aa136ae67a73be08df939c7e87 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 25 Aug 2009 18:15:25 +0200 Subject: disable lifetimes of allocated SPIs The default lifetime of 30 seconds is too short, as a tunnel setup may need several minutes if we have high packet loss. Instead of increasing the value, we disable lifetimes completely, as we handle the removal of such SAs from userland just fine. --- src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c') diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 2051316f6..e4d31bc53 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2006-2008 Tobias Brunner - * Copyright (C) 2005-2008 Martin Willi + * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2008 Andreas Steffen * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser * Copyright (C) 2006 Daniel Roethlisberger @@ -31,6 +31,7 @@ #include #include #include +#include #include "kernel_netlink_ipsec.h" #include "kernel_netlink_shared.h" @@ -1956,6 +1957,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() { private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t); struct sockaddr_nl addr; + int fd; /* public functions */ this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi; @@ -1976,6 +1978,14 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); + /* disable lifetimes for allocated SPIs in kernel */ + fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY); + if (fd) + { + ignore_result(write(fd, "0", 1)); + close(fd); + } + /* add bypass policies on the sockets used by charon */ if (!add_bypass_policies()) { -- cgit v1.2.3