[Swan-dev] ERROR: netlink response for Add SA ... included errno 3: No such process
Paul Wouters
paul at nohats.ca
Sat Apr 11 07:52:52 EEST 2015
On Sat, 11 Apr 2015, Herbert Xu wrote:
> Subject: [Swan-dev] ERROR: netlink response for Add SA ... included errno 3:
> No such process
> I'm sure you've all seen this error message. At some point a
> patch was applied to change the offending update to an add if
> the error occured.
If I remember correctly that was needed because sometimes the kernel
deletes an SA, and if we call update it fails if there is nothing
to update.
> This is wrong because some updates do not
> contain keying material.
I don't understand this. Can you explain what the problem is for those
SA's ?
> Moreover, the add too can fail if the
> SPI has already been reallocated to another SA.
By whom? We assume we are the only IKE daemon running and the only
entity requesting SPI's from the kernel. Anything else is madness.
> The whole point of the get_spi + update procedure is to guarantee
> the SPI uniqueness. So you can't just replace the update with
> an add if the SA generated by get_spi expires.
I'll have to think about this a bit more...
> Anyway, the root cause of these messages is a setting of the
> sysctl xfrm_acq_expires that is too low compared to the timeout
> setting of libreswan. In particular, the default setting of
> 30 is designed so that your entire IKE exchange should complete
> within 30 seconds, which incidentally is what racoon uses to
> determine an IKE timeout.
Yes, current git has switched to libevent and subsecond retransmits
and timeouts, so we will fall within that 30 second time window as
well.
> For libreswan, I suggest that you increase this parameter to
> a more appropriate value. I haven't done the calculations but
> strongswan sets it to 165 which seems to be appropriate.
Almost 3 minutes? That seems very long.
Paul
More information about the Swan-dev
mailing list