Hi Benoit, Strongswan keeps track for whatever is required but kernel feeds the relevant information via events.
For *child sa*, in the kernel world, it is kernel which XFRM_EXPIRE message via netlink. The strongswan is listening of netlink events for the same. When it receives events from the kernel it processes expire and calls the relevant 'charon->kernel->migrate'. Please note i am only talking about child sa rekey where kernel send events, for IKE SA rekey the strongswan works on timer basis. Thanks, Regards, Venu On Fri, 2 Apr 2021 at 14:35, Benoit Ganne (bganne) <bga...@cisco.com> wrote: > Hi Venu, > > I am not familiar with the kernel-vpp plugin you mention, however if I > understand correctly your question is how strongSwan can know it must > trigger a rekey because of time expiration or max bytes transferred? > VPP IPsec does not manage SA lifetimes by itself, it is the responsibility > of strongSwan (or any other IKE stack). strongSwan can keep track of time > by itself, and regarding the max bytes limit, VPP exposes per-SA bytes > counters, so strongSwan should poll those counters periodically and trigger > a rekey if needed. > Also, VPP comes with its own IKEv2 implementation (which does support > lifetime management), you can find examples here: > https://gerrit.fd.io/r/c/vpp/+/31414 > > Best > ben > > > -----Original Message----- > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Venumadhav > > Josyula > > Sent: jeudi 1 avril 2021 18:05 > > To: vpp-dev <vpp-dev@lists.fd.io> > > Subject: [vpp-dev] child sa rekey > > > > Hi Vpp Ipsec Experts, > > > > I wanted to understand how child sa rekey ( lifetime) are handled in vpp. > > i) We are using strongswan + kernel-vpp plugin for our ikev2 exchange. > > ii) Now we are facing the issue child sa rekey, the problem child sa > > rekey is not getting triggered. I understand, the strongswan needs to > > trigger this. We triggered manually it works, but timeout of lifetime > does > > not work. Please also note there is no issue with IKE SA rekey timeout > > expiry. > > iii) for ii) in the kernel world while adding as these parameters such > > lifetime are passed. And it is the kernel that triggers child sa rekey on > > hard timer expiry. > > iv) How do we pass these parameter lifetime cfg to the vpp, is it handled > > or not handled. > > > > Please note we are using the vpp 20.09 release version for the same. > > > > Thank and regards > > Venu >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19097): https://lists.fd.io/g/vpp-dev/message/19097 Mute This Topic: https://lists.fd.io/mt/81780992/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
