<div dir="ltr"><div><div>Hi,<br><br></div>I m  using strongswan-5.3.0 for tunnel establishment. In that I m trying out libipsec which does userspace encryption/decryption.<br><br></div><div>In our lab I tested a scenario where I sent, <br><br>1. 20Mbps uplink traffic from the device where libipsec is running, to a remote server.<br></div><div>2. 80Mbps downlink traffic from the remote server to the device where libipsec is running.<br><br></div><div>These two traffics are sent simultaneously using iperf tool.<br></div><div>I see that charon's memory usage gradually shoots up, it goes upto 630MB before the device crashes with out of memory.<br><br></div><div>Attaching the ipsec configuration at the device for the reference,<br># ipsec stautusall<br>Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.10.49-perf-g9578e9c-dirty, armv7l):<br>  uptime: 3 hours, since May 21 12:39:32 2015<br>  malloc: sbrk 262144, mmap 0, used 124296, free 137848<br>  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5<br>  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg fips-prf gmp cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic xauth-eap<br>Listening IP addresses:<br>  10.206.1.195<br>  192.168.16.1<br>  192.168.17.1<br>  192.168.18.1<br>  192.168.19.1<br>  192.168.20.1<br>  192.168.21.1<br>  192.168.22.1<br>Connections:<br>        home:  10.x.x.x....10.x.x.x  IKEv2, dpddelay=200s<br>        home:   local:  [<a href="mailto:0005B94234BD@picasso.com">0005B94234BD@picasso.com</a>] uses EAP_MD5 authentication<br>        home:   remote: uses pre-shared key authentication<br>        home:   child:  dynamic === <a href="http://0.0.0.0/0">0.0.0.0/0</a> TUNNEL, dpdaction=clear<br>Security Associations (1 up, 0 connecting):<br>        home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[<a href="mailto:0005B94234BD@picasso.com">0005B94234BD@picasso.com</a>]...10.x.x..x[<a href="mailto:a@airvana.com">a@airvana.com</a>]<br>        home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r, rekeying in 20 hours<br>        home[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>        home{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i 000a238e_o<br>        home{1}:  AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181 pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6 hours<br>        home{1}:   <a href="http://10.220.10.116/32">10.220.10.116/32</a> === <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br># ipsec listall<br><br>List of registered IKE algorithms:<br><br>  encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des] TWOFISH_CBC[af-alg]<br>  integrity:  HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]<br>              HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]<br>              HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_512[hmac]<br>  aead:<br>  hasher:     HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]<br>  prf:        PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]<br>              PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]<br>  dh-group:   MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp] MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]<br>              MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_CUSTOM[gmp]<br>  random-gen: RNG_STRONG[random] RNG_TRUE[random]<br>  nonce-gen:  [nonce]<br><br>List of loaded Plugins:<br><br>charon:<br>    CUSTOM:libcharon<br>        NONCE_GEN<br>        CUSTOM:libcharon-receiver<br>        CUSTOM:kernel-ipsec<br>        CUSTOM:kernel-net<br>    CUSTOM:libcharon-receiver<br>        HASHER:HASH_SHA1<br>        RNG:RNG_STRONG<br>        CUSTOM:socket<br>aes:<br>    CRYPTER:AES_CBC-16<br>    CRYPTER:AES_CBC-24<br>    CRYPTER:AES_CBC-32<br>des:<br>    CRYPTER:3DES_CBC-24<br>    CRYPTER:DES_CBC-8<br>    CRYPTER:DES_ECB-8<br>sha1:<br>    HASHER:HASH_SHA1<br>    PRF:PRF_KEYED_SHA1<br>sha2:<br>    HASHER:HASH_SHA224<br>    HASHER:HASH_SHA256<br>    HASHER:HASH_SHA384<br>    HASHER:HASH_SHA512<br>md5:<br>    HASHER:HASH_MD5<br>random:<br>    RNG:RNG_STRONG<br>    RNG:RNG_TRUE<br>nonce:<br>    NONCE_GEN<br>        RNG:RNG_WEAK<br>x509:<br>    CERT_ENCODE:X509<br>        HASHER:HASH_SHA1<br>    CERT_DECODE:X509<br>        HASHER:HASH_SHA1<br>        PUBKEY:RSA (soft)<br>        PUBKEY:ECDSA (soft)<br>        PUBKEY:DSA (soft)<br>    CERT_ENCODE:X509_AC<br>    CERT_DECODE:X509_AC<br>    CERT_ENCODE:X509_CRL<br>    CERT_DECODE:X509_CRL<br>    CERT_ENCODE:X509_OCSP_REQUEST<br>        HASHER:HASH_SHA1<br>        RNG:RNG_WEAK<br>    CERT_DECODE:X509_OCSP_RESPONSE<br>    CERT_ENCODE:PKCS10_REQUEST<br>    CERT_DECODE:PKCS10_REQUEST<br>revocation:<br>    CUSTOM:revocation<br>        CERT_ENCODE:X509_OCSP_REQUEST (soft)<br>        CERT_DECODE:X509_OCSP_RESPONSE (soft)<br>        CERT_DECODE:X509_CRL (soft)<br>        CERT_DECODE:X509 (soft)<br>        FETCHER:(null) (soft)<br>constraints:<br>    CUSTOM:constraints<br>        CERT_DECODE:X509 (soft)<br>pubkey:<br>    CERT_ENCODE:TRUSTED_PUBKEY<br>    CERT_DECODE:TRUSTED_PUBKEY<br>        PUBKEY:RSA (soft)<br>        PUBKEY:ECDSA (soft)<br>        PUBKEY:DSA (soft)<br>pkcs1:<br>    PRIVKEY:RSA<br>    PUBKEY:ANY<br>    PUBKEY:RSA<br>pkcs7:<br>    CONTAINER_DECODE:PKCS7<br>    CONTAINER_ENCODE:PKCS7_DATA<br>    CONTAINER_ENCODE:PKCS7_SIGNED_DATA<br>    CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA<br>pkcs8:<br>    PRIVKEY:ANY<br>    PRIVKEY:RSA<br>    PRIVKEY:ECDSA<br>pgp:<br>    PRIVKEY:ANY<br>    PRIVKEY:RSA<br>    PUBKEY:ANY<br>    PUBKEY:RSA<br>    CERT_DECODE:PGP<br>dnskey:<br>    PUBKEY:ANY<br>    PUBKEY:RSA<br>pem:<br>    PRIVKEY:ANY<br>        PRIVKEY:ANY<br>        HASHER:HASH_MD5 (soft)<br>    PRIVKEY:RSA<br>        PRIVKEY:RSA<br>        HASHER:HASH_MD5 (soft)<br>    PRIVKEY:ECDSA<br>        PRIVKEY:ECDSA<br>        HASHER:HASH_MD5 (soft)<br>    PRIVKEY:DSA (not loaded)<br>        PRIVKEY:DSA<br>        HASHER:HASH_MD5 (soft)<br>    PUBKEY:ANY<br>        PUBKEY:ANY<br>    PUBKEY:RSA<br>        PUBKEY:RSA<br>    PUBKEY:ECDSA (not loaded)<br>        PUBKEY:ECDSA<br>    PUBKEY:DSA (not loaded)<br>        PUBKEY:DSA<br>    CERT_DECODE:ANY<br>        CERT_DECODE:X509 (soft)<br>        CERT_DECODE:PGP (soft)<br>    CERT_DECODE:X509<br>        CERT_DECODE:X509<br>    CERT_DECODE:X509_CRL<br>        CERT_DECODE:X509_CRL<br>    CERT_DECODE:X509_OCSP_REQUEST (not loaded)<br>        CERT_DECODE:X509_OCSP_REQUEST<br>    CERT_DECODE:X509_OCSP_RESPONSE<br>        CERT_DECODE:X509_OCSP_RESPONSE<br>    CERT_DECODE:X509_AC<br>        CERT_DECODE:X509_AC<br>    CERT_DECODE:PKCS10_REQUEST<br>        CERT_DECODE:PKCS10_REQUEST<br>    CERT_DECODE:TRUSTED_PUBKEY<br>        CERT_DECODE:TRUSTED_PUBKEY<br>    CERT_DECODE:PGP<br>        CERT_DECODE:PGP<br>    CONTAINER_DECODE:PKCS12 (not loaded)<br>        CONTAINER_DECODE:PKCS12<br>af-alg:<br>    CRYPTER:DES_CBC-8<br>    CRYPTER:DES_ECB-8<br>    CRYPTER:3DES_CBC-24<br>    CRYPTER:AES_CBC-16<br>    CRYPTER:AES_CBC-24<br>    CRYPTER:AES_CBC-32<br>    CRYPTER:TWOFISH_CBC-16<br>    CRYPTER:TWOFISH_CBC-24<br>    CRYPTER:TWOFISH_CBC-32<br>fips-prf:<br>    PRF:PRF_FIPS_SHA1_160<br>        PRF:PRF_KEYED_SHA1<br>gmp:<br>    DH:MODP_2048<br>        RNG:RNG_STRONG<br>    DH:MODP_2048_224<br>        RNG:RNG_STRONG<br>    DH:MODP_2048_256<br>        RNG:RNG_STRONG<br>    DH:MODP_1536<br>        RNG:RNG_STRONG<br>    DH:MODP_3072<br>        RNG:RNG_STRONG<br>    DH:MODP_4096<br>        RNG:RNG_STRONG<br>    DH:MODP_6144<br>        RNG:RNG_STRONG<br>    DH:MODP_8192<br>        RNG:RNG_STRONG<br>    DH:MODP_1024<br>        RNG:RNG_STRONG<br>    DH:MODP_1024_160<br>        RNG:RNG_STRONG<br>    DH:MODP_768<br>        RNG:RNG_STRONG<br>    DH:MODP_CUSTOM<br>        RNG:RNG_STRONG<br>    PRIVKEY:RSA<br>    PRIVKEY_GEN:RSA<br>        RNG:RNG_TRUE<br>    PUBKEY:RSA<br>    PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL<br>    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1<br>        HASHER:HASH_SHA1<br>    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224<br>        HASHER:HASH_SHA224<br>    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256<br>        HASHER:HASH_SHA256<br>    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384<br>        HASHER:HASH_SHA384<br>    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512<br>        HASHER:HASH_SHA512<br>    PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5<br>        HASHER:HASH_MD5<br>    PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL<br>    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1<br>        HASHER:HASH_SHA1<br>    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224<br>        HASHER:HASH_SHA224<br>    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256<br>        HASHER:HASH_SHA256<br>    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384<br>        HASHER:HASH_SHA384<br>    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512<br>        HASHER:HASH_SHA512<br>    PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5<br>        HASHER:HASH_MD5<br>    PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1<br>    PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1<br>        RNG:RNG_WEAK<br>cmac:<br>    PRF:PRF_AES128_CMAC<br>        CRYPTER:AES_CBC-16<br>    SIGNER:AES_CMAC_96<br>        CRYPTER:AES_CBC-16<br>hmac:<br>    PRF:PRF_HMAC_SHA1<br>        HASHER:HASH_SHA1<br>    PRF:PRF_HMAC_MD5<br>        HASHER:HASH_MD5<br>    PRF:PRF_HMAC_SHA2_256<br>        HASHER:HASH_SHA256<br>    PRF:PRF_HMAC_SHA2_384<br>        HASHER:HASH_SHA384<br>    PRF:PRF_HMAC_SHA2_512<br>        HASHER:HASH_SHA512<br>    SIGNER:HMAC_SHA1_96<br>        HASHER:HASH_SHA1<br>    SIGNER:HMAC_SHA1_128<br>        HASHER:HASH_SHA1<br>    SIGNER:HMAC_SHA1_160<br>        HASHER:HASH_SHA1<br>    SIGNER:HMAC_MD5_96<br>        HASHER:HASH_MD5<br>    SIGNER:HMAC_MD5_128<br>        HASHER:HASH_MD5<br>    SIGNER:HMAC_SHA2_256_128<br>        HASHER:HASH_SHA256<br>    SIGNER:HMAC_SHA2_256_256<br>        HASHER:HASH_SHA256<br>    SIGNER:HMAC_SHA2_384_192<br>        HASHER:HASH_SHA384<br>    SIGNER:HMAC_SHA2_384_384<br>        HASHER:HASH_SHA384<br>    SIGNER:HMAC_SHA2_512_256<br>        HASHER:HASH_SHA512<br>    SIGNER:HMAC_SHA2_512_512<br>        HASHER:HASH_SHA512<br>attr:<br>    CUSTOM:attr<br>kernel-libipsec:<br>    CUSTOM:kernel-ipsec<br>    CUSTOM:kernel-libipsec-router<br>        CUSTOM:libcharon-receiver<br>kernel-netlink:<br>    CUSTOM:kernel-ipsec<br>    CUSTOM:kernel-net<br>resolve:<br>    CUSTOM:resolve<br>socket-default:<br>    CUSTOM:socket<br>        CUSTOM:kernel-ipsec (soft)<br>stroke:<br>    CUSTOM:stroke<br>        PRIVKEY:RSA (soft)<br>        PRIVKEY:ECDSA (soft)<br>        PRIVKEY:DSA (soft)<br>        CERT_DECODE:ANY (soft)<br>        CERT_DECODE:X509 (soft)<br>        CERT_DECODE:X509_CRL (soft)<br>        CERT_DECODE:X509_AC (soft)<br>        CERT_DECODE:TRUSTED_PUBKEY (soft)<br>updown:<br>    CUSTOM:updown<br>eap-identity:<br>    EAP_SERVER:ID<br>    EAP_CLIENT:ID<br>eap-md5:<br>    EAP_SERVER:MD5<br>        HASHER:HASH_MD5<br>        RNG:RNG_WEAK<br>    EAP_CLIENT:MD5<br>        HASHER:HASH_MD5<br>        RNG:RNG_WEAK<br>xauth-generic:<br>    XAUTH_SERVER:generic<br>    XAUTH_CLIENT:generic<br>xauth-eap:<br>    XAUTH_SERVER:eap<br><br></div><div># cat /etc/ipsec.conf<br># ipsec.conf - strongSwan IPsec configuration file<br>config setup<br>        charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1 dmn 1"<br><br>conn home<br>     left=10.x.x.x<br>     leftid=<a href="mailto:0005B94234BD@picasso.com">0005B94234BD@picasso.com</a><br>     leftauth=eap-md5<br>     rightauth=psk<br>     leftsourceip=%config<br>     leftfirewall=yes<br>     ike=3des-sha1-prfsha1-modp1024!<br>     esp=aes128-sha1!<br>     right=10.x.x.x<br>     rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br>     rightid=%any<br>     auto=add<br>     mobike=no<br>     dpddelay=200s<br>     dpdaction=clear<br>     rekey=yes<br>     ikelifetime=86400<br>     lifetime=36000<br>     reauth=no<br>     rekeymargin=3m<br>     keyingtries=1<br>     keyexchange=ikev2<br><br> cat /etc/strongswan.conf <br># strongswan.conf - strongSwan configuration file<br><br>charon {<br><br>        # number of worker threads in charon<br>        threads = 16<br><br>        close_ike_on_child_failure = yes<br>        retransmit_tries = 20<br>        retransmit_timeout = 20<br>        retransmit_base = 1<br><br>        keep_alive = 20s<br>        # send strongswan vendor ID?<br>        # send_vendor_id = yes<br><br>        plugins {<br><br>                sql {<br>                        # loglevel to log into sql database<br>                        loglevel = -1<br>                        # URI to the database<br>                        # database = sqlite:///path/to/file.db<br>                        # database = mysql://user:password@localhost/database<br>                }<br>                resolve{<br>                       file = /etc/resolvtunnel.conf<br>                }<br>                kernel-netlink {<br>                      fwmark = !0x42<br>                }<br>                socket-default {<br>                      fwmark = 0x42<br>                }<br>                kernel-libipsec {<br>                      allow_peer_ts = yes<br>                }<br>        }<br><br><br></div><div>Let me know if this is an existing issue.. Please let me know if any further information is required.<br><br></div><div>Regards,<br></div><div>Sriram.<br></div><div><br></div><div><br></div></div>