<html><body><div style="color:#000; background-color:#fff; font-family:lucida console, sans-serif;font-size:12pt"><div></div><span><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Hi Martin/All,<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Thanks a lot for your valuable and prompt response. </span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'></span> </div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>I disabled
the dos_protection <span style="mso-spacerun: yes;"> </span>at both the ends. <span style="mso-spacerun: yes;"> </span>Now the responder does not generate IKE_AUTH i.e.,
AUTH_FAILED response. I run the scenario with 300 IPsec tunnels ( Configured
the initiators = 10, iterations = 30 and delay = 100 in strongswan.conf of IKE
initiator). It could able to bring up all the tunnels or establish the IKE and
ESP child SAs at both ends. Please note that, I have disabled the rekeying at
both ends. In order to confirm, I used the “ip xfrm state count” command at
both ends from time to time. Always it showed the SAD count to be 600, which was
expected. However upon trying to run with 500 IPsec connections/tunnels, I
found the following issue i.e., though it can create all the IPsec tunnels (i.e.,
checked and found the SAD count to be 1000) at responder end, the initiator cannot
create all the tunnels <span style="mso-spacerun: yes;"> </span>(i.e., checked
and found the SAD count to be lesser than 400).<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Thereafter turned on the log at IKE initiator end and found
the following error messages in charon.log file.<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p>---------------------------------------------------------------------------------------------- </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:28 05[KNL]
creating delete job for ESP CHILD_SA with SPI cd8cac1c a<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>nd reqid {159}<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:28 03[MGR]
checkout IKE_SA by ID<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:28 03[JOB]
CHILD_SA with reqid 159 not found for delete<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:28 05[KNL]
received a XFRM_MSG_EXPIRE<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:28 05[KNL]
creating delete job for ESP CHILD_SA with SPI c7b3110f a<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>nd reqid {160}<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:28 02[MGR]
checkout IKE_SA by ID<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:28 02[JOB]
CHILD_SA with reqid 160 not found for delete<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:28 05[KNL]
received a XFRM_MSG_EXPIRE<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:28 05[KNL]
creating delete job for ESP CHILD_SA with SPI c922693f a<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>nd reqid {161}<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p><div class="MsoNormal" style="margin: 0in 0in 10pt;"> </div></o:p></span><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:29
12[CHD]<span style="mso-spacerun: yes;"> </span>SPI 0xcd8cac1c, src 30.30.30.2
dst 30.30.30.1<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:29 12[KNL]
adding SAD entry with SPI cd8cac1c and reqid {159}<span style="mso-spacerun: yes;"> </span>(mar<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>k 0/0x00000000)<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:29
12[KNL]<span style="mso-spacerun: yes;"> </span>using encryption algorithm
AES_CBC with key size 128<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:29
12[KNL]<span style="mso-spacerun: yes;"> </span>using integrity algorithm
HMAC_SHA1_96 with key size 1<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>60<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:29 12[KNL]<span style="mso-spacerun: yes;"> </span>using replay window of 32 packets<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:29 12[KNL]
unable to add SAD entry with SPI cd8cac1c<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:29 12[IKE]
unable to install inbound IPsec SA (SAD) in kernel<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:29 12[IKE]
failed to establish CHILD_SA, keeping IKE_SA<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Jan<span style="mso-spacerun: yes;"> </span>1 07:14:29 12[KNL]
deleting SAD entry with SPI cd8cac1c<span style="mso-spacerun: yes;">
</span>(mark 0/0x00000000<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>) <span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div><div></div><font face="Times New Roman"><div>
</div><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><div></div><o:p><div></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p>---------------------------------------------------------------------------------------------- </o:p></span></div></o:p></span></font><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Here goes my analysis. Kindly go thru the same and drag me to right direction if I am wrong at any point.</span></div></span><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'></span> </div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%;
font-family: "Comic Sans MS"; font-size: 10pt;'>What I understand, each IPsec SA in the Linux kernel has a
lifetime associated with it consisting of both a soft and a hard limit. Each
time one of the soft or hard limits is reached, the Linux kernel generates an
XFRM_MSG_EXPIRE message to which the charon keying (IKEv2) daemon subscribes
when creating the NETLINK_XFRM socket. But in this case, <span style="mso-spacerun: yes;"> </span>since I have disabled the rekeying,<span style="mso-spacerun: yes;"> </span>the kernel should not send XFRM_MSG_EXPIRE
event to charon daemon. Please feel free to correct me if my understanding is
wrong. Since charon gets XFRM_MSG_EXPIRE event, it creates delete job for ESP
CHILD_SA and unable to install the child SA in kernel.<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div><font face="Times New Roman">
</font><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>As per the rfc-4306, If the response is not received within a
timeout interval, the requester needs to retransmit the request or teardown <span style="mso-spacerun: yes;"> </span>the connection. <span style="mso-spacerun: yes;"> </span>Let us assume that, initiator does not receive
IKE_AUTH response message, then it should go on retransmitting the IKE_AUTH
request. Since I have configured the<span style="mso-spacerun: yes;">
</span>retransmit_timeout=60 and<span style="mso-spacerun: yes;">
</span>retransmit_tries=30, it will send 30 IKE_AUTH requests in each 60
seconds. After (60*30=1800 seconds), it should tear down the connection (i.e.,
child SA) by sending Informational DELETE payload message to responder. In such
case, the SAD count (at responder end) should be dropped from 1000 (Note that,
i have run with 500 IPsec connections/tunnels). But it never drops from 1000.
Also there is no drop of SAD count at initiator end (i.e., 320). </span><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Is this an expected behavior or bug in strongswan (5.0.4) or I
am missing something? </span></div><div><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'></span> </div><div><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Please find our configuration below for Initiator as well
as Responder.<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 12pt; mso-bidi-font-size: 10.0pt;'>Configurations at IKE initiator<o:p></o:p></span></u></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><i style="mso-bidi-font-style: normal;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>strongswan.conf
<o:p></o:p></span></u></i></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'># number of worker threads in charon<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span>threads = 16<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span>replay_window = 32<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt; text-indent: 0.5in;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>dos_protection = no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span>block_threshold=300<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span>cookie_threshold=300<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>init_limit_half_open=300<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span>retransmit_timeout=60<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-tab-count: 1;"> </span>retransmit_tries=30<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt; text-indent: 0.5in;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>install_virtual_ip=no <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt; text-indent: 0.5in;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>install_routes=no<span style="mso-tab-count: 1;"> </span><o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>plugins {<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>load-tester {<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>enable = yes<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>initiators = 20<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>iterations = 30<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>delay = 30<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>responder = 30.30.30.2<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>proposal = aes128-sha1-modp1024<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>initiator_auth = psk<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>responder_auth = psk<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>request_virtual_ip = no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>ike_rekey = 0<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>child_rekey = 0<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>delete_after_established = no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>shutdown_when_complete = no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>}<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><i style="mso-bidi-font-style: normal;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>ipsec.secrets<o:p></o:p></span></u></i></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>@srv.strongswan.org %any : PSK "strongSwan"<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 12pt; mso-bidi-font-size: 10.0pt;'>Configurations at IKE responder<o:p></o:p></span></u></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><i style="mso-bidi-font-style: normal;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>ipsec.conf<o:p></o:p></span></u></i></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>conn %default<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>ikelifetime=24h<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>keylife=23h<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>rekeymargin=5m<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>keyingtries=1<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>keyexchange=ikev2<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>ike=aes128-sha1-modp1024!<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>mobike=no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>conn host-host<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>left=30.30.30.2<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>leftsubnet=30.30.30.2/8<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>rightid=%any<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>leftauth=psk<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>leftfirewall=yes<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>right=30.30.30.1<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>rightsubnet=30.30.30.1/8<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>leftid=@srv.strongswan.org<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>rightauth=psk<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt; text-indent: 0.5in;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>type=tunnel<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>authby=secret<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>rekey=no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>reauth=no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>auto=add<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><i style="mso-bidi-font-style: normal;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>strongswan.conf<o:p></o:p></span></u></i></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span># number of
worker threads in charon<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>threads = 16<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>replay_window =
32<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>block_threshold=300<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>cookie_threshold=300<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>init_limit_half_open=300<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>half_open_timeout=300<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>dos_protection =
no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"></span></span><font face="Times New Roman"></font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Please fee free to let me know if additional information is needed. Your help in this regard will be highly appreciated. <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Regards,</span></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Chinmaya</span><font face="Times New Roman"></font> </div></span><div class="MsoNormal" style="margin: 0in 0in 10pt;"><o:p></o:p></div></span><div class="MsoNormal" style="margin: 0in 0in 10pt;"></div><div><font face="Times New Roman">
</font></div></span><div></div><div><br></div> <div style="font-family: lucida console, sans-serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <div class="hr" style="margin: 5px 0px; padding: 0px; border: 1px solid rgb(204, 204, 204); height: 0px; line-height: 0; font-size: 0px;" contenteditable="false" readonly="true"></div> <font face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Martin Willi <martin@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> Chinmaya Dwibedy <ckdwibedy@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, August 5, 2013 5:02 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] IPsec/IKEv2 tunnels scalability issue with
load-tester plugin (using strongSwan 5.0.4)<br> </font> </div> <div class="y_msg_container"><br>Hi,<br><br>> Although we did not encounter with aforesaid message, it could<br>> not create all 300 IPsec tunnels. [...]<br><br>> [IKE] tried 1 shared key for 'srv.strongswan.org' - 'c13-r1.strongswan.org',<br>> but MAC mismatched<br><br>This problem arises when enabling IKEv2 DoS protection using COOKIEs.<br><br>Assume the following: The initiator sends an IKE_SA_INIT without a<br>COOKIE. The responder queues that message for processing. If it then<br>enables DoS protection, and the initiator retransmits the IKE_SA_INIT,<br>you'll encounter this issue. The initiator assumes the responder<br>processed the COOKIEd IKE_SA_INIT, but in fact it processed the first<br>IKE_SA_INIT without a COOKIE. The peers use different IKE_SA_INIT data<br>to authenticate during IKE_AUTH, and the MAC does not match (see also<br>[1]).<br><br>While there could be ways
to improve the situation (i.e. respect a<br>second IKE_SA_INIT message having a COOKIE), I don't think that there is<br>way to solve this issue completely. Under DoS the chance is high that<br>packets get lost elsewhere. The only option would be to change the IKEv2<br>protocol itself (for example to not include the COOKIE in MAC<br>calculation).<br><br>Further, I think your assumption is wrong that there is a guarantee that<br>a tunnel can be established given a Denial of Service situation. You<br>should reconsider what a DoS situation is, and configure the daemon<br>accordingly using the cookie_threshold and block_threshold options. Also<br>you might check the init_limit_job_load/init_limit_half_open options;<br>they can help in avoiding this issue. But once you hit DoS limits, the<br>above error will happen, and there is certainly no guarantee all<br>connection attempts will be successful.<br><br>Regards<br>Martin<br><br>[1]<a
href="http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1b7debcc" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1b7debcc</a><br><br><br><br><br></div> </div> </div> </div></body></html>