[strongSwan] Problem loading many private keys

Roberts Pakalns pakalns at gmail.com
Thu Apr 4 11:39:50 CEST 2019 

Hello,

Description: I want to set up 2000 IKEv2 cert based tunnels.

Problem: After applying the configuration, I see that load of private keys
cannot finish as ipsec is restarting after 10s.

Apr  4 02:23:13 debian charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.5.1, Linux 4.9.0-4-686-pae, i686)
Apr  4 02:23:13 debian charon: 00[KNL] unable to create IPv4 routing table
rule
Apr  4 02:23:13 debian charon: 00[KNL] unable to create IPv6 routing table
rule
Apr  4 02:23:13 debian charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Apr  4 02:23:13 debian charon: 00[CFG]   loaded ca certificate "C=XX,
ST=XXXXX, L=XXXXX, O=XXXXX, OU=XXXX, CN=XXXXXXXXXX, E=XXXXXXXXXXX" from
'/etc/ipsec.d/cacerts/cacert.pem'
Apr  4 02:23:13 debian charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Apr  4 02:23:13 debian charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Apr  4 02:23:13 debian charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Apr  4 02:23:13 debian charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr  4 02:23:13 debian charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Apr  4 02:23:13 debian charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/private-0000.pem'
Apr  4 02:23:13 debian charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/private-0001.pem'
Apr  4 02:23:13 debian charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/private-0002.pem'
... omitted ...
Apr  4 02:23:23 debian charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/private-0442.pem'
Apr  4 02:23:23 debian charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/private-0443.pem'
Apr  4 02:23:23 debian charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/private-0444.pem'
Apr  4 02:23:28 debian charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.5.1, Linux 4.9.0-4-686-pae, i686)
Apr  4 02:23:28 debian charon: 00[KNL] unable to create IPv4 routing table
rule
Apr  4 02:23:28 debian charon: 00[KNL] unable to create IPv6 routing table
rule
Apr  4 02:23:28 debian charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'

Question: Do you have some suggestions where can I lift this 10s
limitation? Or any other ideas how could I reach loaded 2000 keys. Tried to
search and went through charon.conf, but apparently, I'm still missing it.

Thanks,
Roberts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190404/1868e555/attachment.html>

More information about the Users mailing list