[Swan-dev] ERROR: netlink response for Add SA ... included errno 3: No such process
Herbert Xu
herbert at gondor.apana.org.au
Sat Apr 11 04:28:23 EEST 2015
Hi:
I'm sure you've all seen this error message. At some point a
patch was applied to change the offending update to an add if
the error occured. This is wrong because some updates do not
contain keying material. Moreover, the add too can fail if the
SPI has already been reallocated to another SA.
The whole point of the get_spi + update procedure is to guarantee
the SPI uniqueness. So you can't just replace the update with
an add if the SA generated by get_spi expires.
Anyway, the root cause of these messages is a setting of the
sysctl xfrm_acq_expires that is too low compared to the timeout
setting of libreswan. In particular, the default setting of
30 is designed so that your entire IKE exchange should complete
within 30 seconds, which incidentally is what racoon uses to
determine an IKE timeout.
For libreswan, I suggest that you increase this parameter to
a more appropriate value. I haven't done the calculations but
strongswan sets it to 165 which seems to be appropriate.
Cheers,
--
Email: Herbert Xu <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Swan-dev
mailing list