[Openswan Users] pfkey write failed

Arnoud Tijssen ATijssen at Ram.nl
Wed Apr 21 03:21:53 EDT 2010

we used the following klips patch:


A restart didn`t solve the issue here. We`re just curious what happened and how it was possible.
And can we avoid this in the future?

From: users-bounces at openswan.org [users-bounces at openswan.org] On Behalf Of Paul Wouters [paul at xelerance.com]
Sent: 20 April 2010 14:07
To: Arnoud Tijssen
Cc: dev at openswan.org; users at openswan.org
Subject: Re: [Openswan Users] pfkey write failed

On Mon, 19 Apr 2010, Arnoud Tijssen wrote:

> Recently our openswan generated the following error:
> /usr/local/libexec/ipsec/spi: pfkey write failed (errno=28): no room in kernel SAref table.  Cannot process request.

Forwarding to dev@ list.

> The system had enough memory and free disk space. We`re running openswan 2.4.13. After we stopped the ipsec service and openswan wasn`t running anymore we still saw a list with more spi values than vpn`s. Some of our vpn`s were still processing datastreams, and some were unable to re-establish a connection with the peers.

> What did happen here and why did we keep all of these spi values after the ipsec daemon stopped entirely?

It looks like openswan got a bad state, so it could no longer clear the kernel
SPD/SAD state, hence your lingering working tunnels. Re-establishing after
restarting openswan should work but perhaps there were more errors in the kernel
state preventing the userland from talking to it.

What version of userland/kernel/klips was this?

Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan:

More information about the Users mailing list