<div dir="ltr"><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Sriram</b> <span dir="ltr"><<a href="mailto:sriram.ec@gmail.com">sriram.ec@gmail.com</a>></span><br>Date: Fri, May 22, 2015 at 8:47 AM<br>Subject: [strongSwan] Encryption/Decryption with Libipsec - issue.<br>To: <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br><br><br><div dir="ltr"><div><div>Hi,<br><br></div>I m using strongswan-5.3.0 for tunnel establishment. In that I m trying out libipsec which does userspace encryption/decryption.<br><br></div><div>In our lab I tested a scenario where I sent, <br><br>1. 20Mbps uplink traffic from the device where libipsec is running, to a remote server.<br></div><div>2. 80Mbps downlink traffic from the remote server to the device where libipsec is running.<br><br></div><div>These two traffics are sent simultaneously using iperf tool.<br></div><div>I see that charon's memory usage gradually shoots up, it goes upto 630MB before the device crashes with out of memory.<br><br></div><div>Attaching the ipsec configuration at the device for the reference,<br># ipsec stautusall<br>Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.10.49-perf-g9578e9c-dirty, armv7l):<br> uptime: 3 hours, since May 21 12:39:32 2015<br> malloc: sbrk 262144, mmap 0, used 124296, free 137848<br> worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5<br> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg fips-prf gmp cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic xauth-eap<br>Listening IP addresses:<br> 10.206.1.195<br> 192.168.16.1<br> 192.168.17.1<br> 192.168.18.1<br> 192.168.19.1<br> 192.168.20.1<br> 192.168.21.1<br> 192.168.22.1<br>Connections:<br> home: 10.x.x.x....10.x.x.x IKEv2, dpddelay=200s<br> home: local: [<a href="mailto:0005B94234BD@picasso.com" target="_blank">0005B94234BD@picasso.com</a>] uses EAP_MD5 authentication<br> home: remote: uses pre-shared key authentication<br> home: child: dynamic === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> TUNNEL, dpdaction=clear<br>Security Associations (1 up, 0 connecting):<br> home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[<a href="mailto:0005B94234BD@picasso.com" target="_blank">0005B94234BD@picasso.com</a>]...10.x.x..x[<a href="mailto:a@airvana.com" target="_blank">a@airvana.com</a>]<br> home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r, rekeying in 20 hours<br> home[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br> home{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i 000a238e_o<br> home{1}: AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181 pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6 hours<br> home{1}: <a href="http://10.220.10.116/32" target="_blank">10.220.10.116/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br># ipsec listall<br><br>List of registered IKE algorithms:<br><br> encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des] TWOFISH_CBC[af-alg]<br> integrity: HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]<br> HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]<br> HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_512[hmac]<br> aead:<br> hasher: HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]<br> prf: PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]<br> PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]<br> dh-group: MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp] MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]<br> MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_CUSTOM[gmp]<br> random-gen: RNG_STRONG[random] RNG_TRUE[random]<br> nonce-gen: [nonce]<br><br>List of loaded Plugins:<br><br>charon:<br> CUSTOM:libcharon<br> NONCE_GEN<br> CUSTOM:libcharon-receiver<br> CUSTOM:kernel-ipsec<br> CUSTOM:kernel-net<br> CUSTOM:libcharon-receiver<br> HASHER:HASH_SHA1<br> RNG:RNG_STRONG<br> CUSTOM:socket<br>aes:<br> CRYPTER:AES_CBC-16<br> CRYPTER:AES_CBC-24<br> CRYPTER:AES_CBC-32<br>des:<br> CRYPTER:3DES_CBC-24<br> CRYPTER:DES_CBC-8<br> CRYPTER:DES_ECB-8<br>sha1:<br> HASHER:HASH_SHA1<br> PRF:PRF_KEYED_SHA1<br>sha2:<br> HASHER:HASH_SHA224<br> HASHER:HASH_SHA256<br> HASHER:HASH_SHA384<br> HASHER:HASH_SHA512<br>md5:<br> HASHER:HASH_MD5<br>random:<br> RNG:RNG_STRONG<br> RNG:RNG_TRUE<br>nonce:<br> NONCE_GEN<br> RNG:RNG_WEAK<br>x509:<br> CERT_ENCODE:X509<br> HASHER:HASH_SHA1<br> CERT_DECODE:X509<br> HASHER:HASH_SHA1<br> PUBKEY:RSA (soft)<br> PUBKEY:ECDSA (soft)<br> PUBKEY:DSA (soft)<br> CERT_ENCODE:X509_AC<br> CERT_DECODE:X509_AC<br> CERT_ENCODE:X509_CRL<br> CERT_DECODE:X509_CRL<br> CERT_ENCODE:X509_OCSP_REQUEST<br> HASHER:HASH_SHA1<br> RNG:RNG_WEAK<br> CERT_DECODE:X509_OCSP_RESPONSE<br> CERT_ENCODE:PKCS10_REQUEST<br> CERT_DECODE:PKCS10_REQUEST<br>revocation:<br> CUSTOM:revocation<br> CERT_ENCODE:X509_OCSP_REQUEST (soft)<br> CERT_DECODE:X509_OCSP_RESPONSE (soft)<br> CERT_DECODE:X509_CRL (soft)<br> CERT_DECODE:X509 (soft)<br> FETCHER:(null) (soft)<br>constraints:<br> CUSTOM:constraints<br> CERT_DECODE:X509 (soft)<br>pubkey:<br> CERT_ENCODE:TRUSTED_PUBKEY<br> CERT_DECODE:TRUSTED_PUBKEY<br> PUBKEY:RSA (soft)<br> PUBKEY:ECDSA (soft)<br> PUBKEY:DSA (soft)<br>pkcs1:<br> PRIVKEY:RSA<br> PUBKEY:ANY<br> PUBKEY:RSA<br>pkcs7:<br> CONTAINER_DECODE:PKCS7<br> CONTAINER_ENCODE:PKCS7_DATA<br> CONTAINER_ENCODE:PKCS7_SIGNED_DATA<br> CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA<br>pkcs8:<br> PRIVKEY:ANY<br> PRIVKEY:RSA<br> PRIVKEY:ECDSA<br>pgp:<br> PRIVKEY:ANY<br> PRIVKEY:RSA<br> PUBKEY:ANY<br> PUBKEY:RSA<br> CERT_DECODE:PGP<br>dnskey:<br> PUBKEY:ANY<br> PUBKEY:RSA<br>pem:<br> PRIVKEY:ANY<br> PRIVKEY:ANY<br> HASHER:HASH_MD5 (soft)<br> PRIVKEY:RSA<br> PRIVKEY:RSA<br> HASHER:HASH_MD5 (soft)<br> PRIVKEY:ECDSA<br> PRIVKEY:ECDSA<br> HASHER:HASH_MD5 (soft)<br> PRIVKEY:DSA (not loaded)<br> PRIVKEY:DSA<br> HASHER:HASH_MD5 (soft)<br> PUBKEY:ANY<br> PUBKEY:ANY<br> PUBKEY:RSA<br> PUBKEY:RSA<br> PUBKEY:ECDSA (not loaded)<br> PUBKEY:ECDSA<br> PUBKEY:DSA (not loaded)<br> PUBKEY:DSA<br> CERT_DECODE:ANY<br> CERT_DECODE:X509 (soft)<br> CERT_DECODE:PGP (soft)<br> CERT_DECODE:X509<br> CERT_DECODE:X509<br> CERT_DECODE:X509_CRL<br> CERT_DECODE:X509_CRL<br> CERT_DECODE:X509_OCSP_REQUEST (not loaded)<br> CERT_DECODE:X509_OCSP_REQUEST<br> CERT_DECODE:X509_OCSP_RESPONSE<br> CERT_DECODE:X509_OCSP_RESPONSE<br> CERT_DECODE:X509_AC<br> CERT_DECODE:X509_AC<br> CERT_DECODE:PKCS10_REQUEST<br> CERT_DECODE:PKCS10_REQUEST<br> CERT_DECODE:TRUSTED_PUBKEY<br> CERT_DECODE:TRUSTED_PUBKEY<br> CERT_DECODE:PGP<br> CERT_DECODE:PGP<br> CONTAINER_DECODE:PKCS12 (not loaded)<br> CONTAINER_DECODE:PKCS12<br>af-alg:<br> CRYPTER:DES_CBC-8<br> CRYPTER:DES_ECB-8<br> CRYPTER:3DES_CBC-24<br> CRYPTER:AES_CBC-16<br> CRYPTER:AES_CBC-24<br> CRYPTER:AES_CBC-32<br> CRYPTER:TWOFISH_CBC-16<br> CRYPTER:TWOFISH_CBC-24<br> CRYPTER:TWOFISH_CBC-32<br>fips-prf:<br> PRF:PRF_FIPS_SHA1_160<br> PRF:PRF_KEYED_SHA1<br>gmp:<br> DH:MODP_2048<br> RNG:RNG_STRONG<br> DH:MODP_2048_224<br> RNG:RNG_STRONG<br> DH:MODP_2048_256<br> RNG:RNG_STRONG<br> DH:MODP_1536<br> RNG:RNG_STRONG<br> DH:MODP_3072<br> RNG:RNG_STRONG<br> DH:MODP_4096<br> RNG:RNG_STRONG<br> DH:MODP_6144<br> RNG:RNG_STRONG<br> DH:MODP_8192<br> RNG:RNG_STRONG<br> DH:MODP_1024<br> RNG:RNG_STRONG<br> DH:MODP_1024_160<br> RNG:RNG_STRONG<br> DH:MODP_768<br> RNG:RNG_STRONG<br> DH:MODP_CUSTOM<br> RNG:RNG_STRONG<br> PRIVKEY:RSA<br> PRIVKEY_GEN:RSA<br> RNG:RNG_TRUE<br> PUBKEY:RSA<br> PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL<br> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1<br> HASHER:HASH_SHA1<br> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224<br> HASHER:HASH_SHA224<br> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256<br> HASHER:HASH_SHA256<br> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384<br> HASHER:HASH_SHA384<br> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512<br> HASHER:HASH_SHA512<br> PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5<br> HASHER:HASH_MD5<br> PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL<br> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1<br> HASHER:HASH_SHA1<br> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224<br> HASHER:HASH_SHA224<br> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256<br> HASHER:HASH_SHA256<br> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384<br> HASHER:HASH_SHA384<br> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512<br> HASHER:HASH_SHA512<br> PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5<br> HASHER:HASH_MD5<br> PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1<br> PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1<br> RNG:RNG_WEAK<br>cmac:<br> PRF:PRF_AES128_CMAC<br> CRYPTER:AES_CBC-16<br> SIGNER:AES_CMAC_96<br> CRYPTER:AES_CBC-16<br>hmac:<br> PRF:PRF_HMAC_SHA1<br> HASHER:HASH_SHA1<br> PRF:PRF_HMAC_MD5<br> HASHER:HASH_MD5<br> PRF:PRF_HMAC_SHA2_256<br> HASHER:HASH_SHA256<br> PRF:PRF_HMAC_SHA2_384<br> HASHER:HASH_SHA384<br> PRF:PRF_HMAC_SHA2_512<br> HASHER:HASH_SHA512<br> SIGNER:HMAC_SHA1_96<br> HASHER:HASH_SHA1<br> SIGNER:HMAC_SHA1_128<br> HASHER:HASH_SHA1<br> SIGNER:HMAC_SHA1_160<br> HASHER:HASH_SHA1<br> SIGNER:HMAC_MD5_96<br> HASHER:HASH_MD5<br> SIGNER:HMAC_MD5_128<br> HASHER:HASH_MD5<br> SIGNER:HMAC_SHA2_256_128<br> HASHER:HASH_SHA256<br> SIGNER:HMAC_SHA2_256_256<br> HASHER:HASH_SHA256<br> SIGNER:HMAC_SHA2_384_192<br> HASHER:HASH_SHA384<br> SIGNER:HMAC_SHA2_384_384<br> HASHER:HASH_SHA384<br> SIGNER:HMAC_SHA2_512_256<br> HASHER:HASH_SHA512<br> SIGNER:HMAC_SHA2_512_512<br> HASHER:HASH_SHA512<br>attr:<br> CUSTOM:attr<br>kernel-libipsec:<br> CUSTOM:kernel-ipsec<br> CUSTOM:kernel-libipsec-router<br> CUSTOM:libcharon-receiver<br>kernel-netlink:<br> CUSTOM:kernel-ipsec<br> CUSTOM:kernel-net<br>resolve:<br> CUSTOM:resolve<br>socket-default:<br> CUSTOM:socket<br> CUSTOM:kernel-ipsec (soft)<br>stroke:<br> CUSTOM:stroke<br> PRIVKEY:RSA (soft)<br> PRIVKEY:ECDSA (soft)<br> PRIVKEY:DSA (soft)<br> CERT_DECODE:ANY (soft)<br> CERT_DECODE:X509 (soft)<br> CERT_DECODE:X509_CRL (soft)<br> CERT_DECODE:X509_AC (soft)<br> CERT_DECODE:TRUSTED_PUBKEY (soft)<br>updown:<br> CUSTOM:updown<br>eap-identity:<br> EAP_SERVER:ID<br> EAP_CLIENT:ID<br>eap-md5:<br> EAP_SERVER:MD5<br> HASHER:HASH_MD5<br> RNG:RNG_WEAK<br> EAP_CLIENT:MD5<br> HASHER:HASH_MD5<br> RNG:RNG_WEAK<br>xauth-generic:<br> XAUTH_SERVER:generic<br> XAUTH_CLIENT:generic<br>xauth-eap:<br> XAUTH_SERVER:eap<br><br></div><div># cat /etc/ipsec.conf<br># ipsec.conf - strongSwan IPsec configuration file<br>config setup<br> charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1 dmn 1"<br><br>conn home<br> left=10.x.x.x<br> leftid=<a href="mailto:0005B94234BD@picasso.com" target="_blank">0005B94234BD@picasso.com</a><br> leftauth=eap-md5<br> rightauth=psk<br> leftsourceip=%config<br> leftfirewall=yes<br> ike=3des-sha1-prfsha1-modp1024!<br> esp=aes128-sha1!<br> right=10.x.x.x<br> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br> rightid=%any<br> auto=add<br> mobike=no<br> dpddelay=200s<br> dpdaction=clear<br> rekey=yes<br> ikelifetime=86400<br> lifetime=36000<br> reauth=no<br> rekeymargin=3m<br> keyingtries=1<br> keyexchange=ikev2<br><br> cat /etc/strongswan.conf <br># strongswan.conf - strongSwan configuration file<br><br>charon {<br><br> # number of worker threads in charon<br> threads = 16<br><br> close_ike_on_child_failure = yes<br> retransmit_tries = 20<br> retransmit_timeout = 20<br> retransmit_base = 1<br><br> keep_alive = 20s<br> # send strongswan vendor ID?<br> # send_vendor_id = yes<br><br> plugins {<br><br> sql {<br> # loglevel to log into sql database<br> loglevel = -1<br> # URI to the database<br> # database = sqlite:///path/to/file.db<br> # database = mysql://user:password@localhost/database<br> }<br> resolve{<br> file = /etc/resolvtunnel.conf<br> }<br> kernel-netlink {<br> fwmark = !0x42<br> }<br> socket-default {<br> fwmark = 0x42<br> }<br> kernel-libipsec {<br> allow_peer_ts = yes<br> }<br> }<br><br><br></div><div>Let me know if this is an existing issue.. Please let me know if any further information is required.<br><br></div><div>Regards,<br></div><div>Sriram.<br></div><div><br></div><div><br></div></div>
</div><br></div>