Hi Venu, I am not familiar with the kernel-vpp plugin you mention, however if I understand correctly your question is how strongSwan can know it must trigger a rekey because of time expiration or max bytes transferred? VPP IPsec does not manage SA lifetimes by itself, it is the responsibility of strongSwan (or any other IKE stack). strongSwan can keep track of time by itself, and regarding the max bytes limit, VPP exposes per-SA bytes counters, so strongSwan should poll those counters periodically and trigger a rekey if needed. Also, VPP comes with its own IKEv2 implementation (which does support lifetime management), you can find examples here: https://gerrit.fd.io/r/c/vpp/+/31414
Best ben > -----Original Message----- > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Venumadhav > Josyula > Sent: jeudi 1 avril 2021 18:05 > To: vpp-dev <vpp-dev@lists.fd.io> > Subject: [vpp-dev] child sa rekey > > Hi Vpp Ipsec Experts, > > I wanted to understand how child sa rekey ( lifetime) are handled in vpp. > i) We are using strongswan + kernel-vpp plugin for our ikev2 exchange. > ii) Now we are facing the issue child sa rekey, the problem child sa > rekey is not getting triggered. I understand, the strongswan needs to > trigger this. We triggered manually it works, but timeout of lifetime does > not work. Please also note there is no issue with IKE SA rekey timeout > expiry. > iii) for ii) in the kernel world while adding as these parameters such > lifetime are passed. And it is the kernel that triggers child sa rekey on > hard timer expiry. > iv) How do we pass these parameter lifetime cfg to the vpp, is it handled > or not handled. > > Please note we are using the vpp 20.09 release version for the same. > > Thank and regards > Venu
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19096): https://lists.fd.io/g/vpp-dev/message/19096 Mute This Topic: https://lists.fd.io/mt/81780992/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
