<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">GM Rajiv,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Appreciate your suggestions. Will test for 24 hours and get back.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">With regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Makarand.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Rajiv Kulkarni <rajivkulkarni69@gmail.com>
<br>
<b>Sent:</b> May 25, 2022 3:35 PM<br>
<b>To:</b> Makarand Pradhan <MakarandPradhan@is5com.com><br>
<b>Cc:</b> Users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] Multiple SAs after rekey with traffic.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hi<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">1. why have you changed/set the "rekeyfuzz=0%" - i suggest that you should NOT change any of the "default/pre-defined" settings that are used in the Expry-Rekeying formulae such as "rekeyfuzz" which i believe is 100% as default value.....<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">2. so except for "margintime" (which is correctly set to 1m in your case becos you have reduces lifetimes for both ChildSA and also the IKE-SAs), dont change any of the default settings...especially in the "../strongswan.d/charon.conf"
file....keep them as is...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">3. Since you are using IKEv2.....please use the option "reauth=no"....strongly suggested for all IKEv2 based tunnels<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">regards<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Rajiv<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, May 18, 2022 at 6:53 PM Makarand Pradhan <<a href="mailto:MakarandPradhan@is5com.com" target="_blank">MakarandPradhan@is5com.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt">GM All,<br>
<br>
A quick update on the issue.<br>
<br>
I upgraded to 5.9.6 and things have improved a lot. The issue has not been resolved completely but charon is now not hogging the CPU as much.<br>
<br>
After a 24 hour traffic run, I still see multiple IKE and IPSec SAs created. All the same, not as many as I was noticing in 5.9.5.<br>
<br>
I started with 50 SAs. Now after 24 hours, I have 146.<br>
<br>
Routed Connections:<br>
policy2{6}: ROUTED, TUNNEL, reqid 2<br>
policy2{6}: <a href="http://10.10.102.0/24" target="_blank">10.10.102.0/24</a> ===
<a href="http://192.168.102.0/24" target="_blank">192.168.102.0/24</a><br>
Security Associations (146 up, 0 connecting):<br>
<br>
Traffic is flowing, but CPU usage is way up.<br>
<br>
Would highly appreciate if anyone can suggest if I have missed a config in charon.conf. Have tried but am not seeing any improvement.<br>
<br>
Hoping to hear comments/suggestions on the issue.<br>
<br>
Thanks and Regards,<br>
Makarand Pradhan<br>
Senior Software Engineer.<br>
iS5 Communications Inc.<br>
5895 Ambler Dr,<br>
Mississauga, Ontario<br>
L4W 5B7<br>
Main Line: +1-844-520-0588 Ext. 129<br>
Direct Line: +1-289-724-2296<br>
Cell: +1-226-501-5666<br>
Fax:+1-289-401-5206<br>
Email: <a href="mailto:makarandpradhan@is5com.com" target="_blank">makarandpradhan@is5com.com</a><br>
Website: <a href="http://www.iS5Com.com" target="_blank">www.iS5Com.com</a><br>
<br>
-----Original Message-----<br>
From: Users <<a href="mailto:users-bounces@lists.strongswan.org" target="_blank">users-bounces@lists.strongswan.org</a>> On Behalf Of Makarand Pradhan<br>
Sent: May 16, 2022 11:37 AM<br>
To: <a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
Subject: [strongSwan] Multiple SAs after rekey with traffic.<br>
<br>
Good morning All,<br>
<br>
I am facing an issue where the number of SAs keep on going up and then charon starts hogging the CPU. Will highly appreciate if anyone comment if I have misconfigured some parameter or if this is a known issue? Details below:<br>
<br>
We are running Strongswan 5.9.5 on ppc64, Linux kernel 4.1.35.<br>
<br>
It is noted that after a rekey timeout, a new SA is created(ESTABLISHED/INSTALLED). This happens only with traffic. Over a period of time, the number of SAs keep on increasing and then charon hogs the CPU.<br>
<br>
Please find below the ipsec.conf that is being used and a log of my session showing the increasing number of SAs.<br>
<br>
ipsec.conf<br>
<br>
sh-4.3# cat /usr/local/etc/ipsec.conf<br>
config setup<br>
charondebug=@all@<br>
cachecrls=yes<br>
uniqueids=yes<br>
strictcrlpolicy=no<br>
<br>
#####IS5#####<br>
conn policy1<br>
type=tunnel<br>
authby=secret<br>
auto=route<br>
keyexchange=ikev2<br>
ike=aes256-sha512-modp1536!<br>
aggressive=no<br>
ikelifetime=40m<br>
esp=aes256-sha256-modp2048!<br>
lifetime=20m<br>
right=172.16.100.101<br>
rightid=172.16.100.101<br>
rightsubnet=<a href="http://10.10.101.0/24" target="_blank">10.10.101.0/24</a><br>
left=172.16.100.1<br>
leftid=172.16.100.1<br>
leftsubnet=<a href="http://192.168.101.0/24" target="_blank">192.168.101.0/24</a><br>
dpddelay=60s<br>
mobike=no<br>
dpdaction=clear<br>
margintime=1m<br>
rekeyfuzz=0%<br>
leftcert=<br>
<br>
<br>
e.g. Tunnel is set up:<br>
<br>
sh-4.3# date<br>
Mon May 16 09:15:33 UTC 2022<br>
sh-4.3# ipsec status policy1<br>
Routed Connections:<br>
policy1{1}: ROUTED, TUNNEL, reqid 1<br>
policy1{1}: <a href="http://192.168.101.0/24" target="_blank">192.168.101.0/24</a> ===
<a href="http://10.10.101.0/24" target="_blank">10.10.101.0/24</a><br>
Security Associations (1 up, 0 connecting):<br>
policy1[1]: ESTABLISHED 22 seconds ago, 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101]<br>
policy1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4ee192d_i c18d1d43_o<br>
policy1{2}: <a href="http://192.168.101.0/24" target="_blank">192.168.101.0/24</a> ===
<a href="http://10.10.101.0/24" target="_blank">10.10.101.0/24</a><br>
<br>
After some time:<br>
<br>
<br>
sh-4.3# ipsec statusall policy1<br>
Status of IKE charon daemon (weakSwan 5.9.5, Linux 4.1.35-rt41, ppc64):<br>
uptime: 77 minutes, since May 16 09:15:14 2022<br>
malloc: sbrk 2400256, mmap 0, used 354336, free 2045920<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6<br>
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default farp stroke
vici updown xauth-generic counters Listening IP addresses:<br>
10.10.5.1<br>
192.168.101.11<br>
192.168.10.1<br>
192.168.50.2<br>
172.16.100.1<br>
Connections:<br>
policy1: 172.16.100.1...172.16.100.101 IKEv2, dpddelay=60s<br>
policy1: local: [172.16.100.1] uses pre-shared key authentication<br>
policy1: remote: [172.16.100.101] uses pre-shared key authentication<br>
policy1: child: <a href="http://192.168.101.0/24" target="_blank">192.168.101.0/24</a> ===
<a href="http://10.10.101.0/24" target="_blank">10.10.101.0/24</a> TUNNEL, dpdaction=clear<br>
Routed Connections:<br>
policy1{1}: ROUTED, TUNNEL, reqid 1<br>
policy1{1}: <a href="http://192.168.101.0/24" target="_blank">192.168.101.0/24</a> ===
<a href="http://10.10.101.0/24" target="_blank">10.10.101.0/24</a><br>
Security Associations (2 up, 0 connecting):<br>
policy1[2]: ESTABLISHED 38 minutes ago, 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101]<br>
policy1[2]: IKEv2 SPIs: 518b7019c5d03118_i* 74fe5d2949eaed95_r, pre-shared key reauthentication in 17 seconds<br>
policy1[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536<br>
policy1{13}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c9bab39c_i ca96f84a_o<br>
policy1{13}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 18 minutes<br>
policy1{13}: <a href="http://192.168.101.0/24" target="_blank">192.168.101.0/24</a> ===
<a href="http://10.10.101.0/24" target="_blank">10.10.101.0/24</a><br>
policy1[3]: ESTABLISHED 38 minutes ago, 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101]<br>
policy1[3]: IKEv2 SPIs: 005c2ec500a6a55d_i c00aead9fa60759a_r*, pre-shared key reauthentication in 17 seconds<br>
policy1[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536<br>
policy1{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c5fabaf0_i c5dad3ed_o<br>
policy1{12}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 18 minutes<br>
policy1{12}: <a href="http://192.168.101.0/24" target="_blank">192.168.101.0/24</a> ===
<a href="http://10.10.101.0/24" target="_blank">10.10.101.0/24</a><br>
<br>
Kind rgds,<br>
Makarand Pradhan<br>
Senior Software Engineer.<br>
iS5 Communications Inc.<br>
5895 Ambler Dr,<br>
Mississauga, Ontario<br>
L4W 5B7<br>
Main Line: +1-844-520-0588 Ext. 129<br>
Direct Line: +1-289-724-2296<br>
Cell: +1-226-501-5666<br>
Fax:+1-289-401-5206<br>
Email: <a href="mailto:makarandpradhan@is5com.com" target="_blank">makarandpradhan@is5com.com</a><br>
Website: <a href="http://www.iS5Com.com" target="_blank">www.iS5Com.com</a><br>
<br>
<br>
Confidentiality Notice:<br>
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly
prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure
unless properly encrypted.<o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
</body>
</html>