[strongSwan-dev] FreeBSD limitation on manual reqids

[Laurent ANSEL]

Hello,

After ~6 days our tunnels stops working.

Having a look at the SAD and SPD, we can see incoherence with reqid between SAD and SPD:

100.100.100.210[4500] 109.11.194.95[4500] 
        esp-udp mode=tunnel spi=3379728082(0xc9728ed2) reqid=17440(0x00004420)
....

100.100.100.210[4500] 109.11.194.95[4500] 
        esp-udp mode=tunnel spi=3409116770(0xcb32fe62) reqid=17439(0x0000441f)
....

--
109.11.194.95[4500] 100.100.100.210[4500] 
        esp-udp mode=tunnel spi=3424858610(0xcc2331f2) reqid=17440(0x00004420)
....
109.11.194.95[4500] 100.100.100.210[4500] 
        esp-udp mode=tunnel spi=3454863146(0xcded072a) reqid=17439(0x0000441f)
....


10.10.1.42[any] 0.0.0.0/0[any] 255
    in ipsec
    esp/tunnel/109.11.194.95-100.100.100.210/unique#18495
...
10.10.33.42[any] 0.0.0.0/0[any] 255
    in ipsec
    esp/tunnel/109.11.194.95-100.100.100.210/unique#18497
...
0.0.0.0/0[any] 10.10.1.42[any] 255
    out ipsec
    esp/tunnel/100.100.100.210-109.11.194.95/unique#18496
... 
0.0.0.0/0[any] 10.10.33.42[any] 255
    out ipsec
    esp/tunnel/100.100.100.210-109.11.194.95/unique#18498

We are currently using FreeBSD, and we found this define IPSEC_MANUAL_REQID_MAX (0x3fff == 16383). When a reqid reach this limit, FreeBSD will never use our reqid anymore.
We take a look in charon code, and we found that you just increase a counter each time you are creating a new reqid and use it. So we thought to change this behavior and reuse reqids, like store reqids when they release and use them when we want to create a new one. (We already patch the code and try it, it works for us).

What do you think ?


Thank you for your help in advance,

Regards,
Laurent Ansel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: reuse_reqids.patch
Type: text/x-patch
Size: 1990 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20180802/e85fb692/attachment.patch>