[strongSwan] charon RSA tunnel setup speed hints?

Tue Aug 14 08:59:12 CEST 2012

Having looked at the code. In backend_manager.c there appears to be a
linear search through the peer table for candidates matching all the
required criteria.

Are there any alternative search implementations for larger peer sets?

On Tue, 2012-08-14 at 09:41 +1000, Richard Andrews wrote:
> What I'm finding is an unexpectedly long time interval in what I think
> is searching for the peer. In this case about 400ms.
> 
> What can I do to make peer lookup more efficient? How is it implemented?
> 
> 2012-08-14T09:21:24.414328+10:00 s5gw-211 charon: 12[NET] received packet: from 192.168.0.126[4500] to 192.168.0.211[4500]
> 2012-08-14T09:21:24.414358+10:00 s5gw-211 charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) ]
> 2012-08-14T09:21:24.414368+10:00 s5gw-211 charon: 12[CFG] looking for peer configs matching 192.168.0.211[C=AU, O=Symstream, OU=RnD, CN=vpngw02.symstream.com]...192.168.0.126[C=AU, OU=RnD, O=Symstream, CN=test04038.rnd.symstream.com]
> ... (other threads running here) ...
> 2012-08-14T09:21:24.827138+10:00 s5gw-211 charon: 12[CFG] selected peer config 'svc_04042'
> 2012-08-14T09:21:24.836992+10:00 s5gw-211 charon: 12[CFG]   using trusted certificate "C=AU, OU=RnD, O=Symstream, CN=test04038.rnd.symstream.com"
> 2012-08-14T09:21:24.842313+10:00 s5gw-211 charon: 12[IKE] authentication of 'C=AU, OU=RnD, O=Symstream, CN=test04038.rnd.symstream.com' with RSA signature successful
> 2012-08-14T09:21:24.842501+10:00 s5gw-211 charon: 12[IKE] peer supports MOBIKE
> 2012-08-14T09:21:24.850514+10:00 s5gw-211 charon: 12[IKE] authentication of 'C=AU, O=Symstream, OU=RnD, CN=vpngw02.symstream.com' (myself) with RSA signature successful
> 2012-08-14T09:21:24.850699+10:00 s5gw-211 charon: 12[IKE] IKE_SA svc_04042[2348] established between 192.168.0.211[C=AU, O=Symstream, OU=RnD, CN=vpngw02.symstream.com]...192.168.0.126[C=AU, OU=RnD, O=Symstream, CN=test04038.rnd.symstream.com] with SPIs: cd9a93663217fceb_i 3995a67a42ae17a2_r*
> 2012-08-14T09:21:24.851004+10:00 s5gw-211 charon: 12[IKE] scheduling reauthentication in 21504s
> 2012-08-14T09:21:24.851193+10:00 s5gw-211 charon: 12[IKE] maximum IKE_SA lifetime 21564s
> 2012-08-14T09:21:24.851663+10:00 s5gw-211 charon: 12[KNL] no local address found in traffic selector 192.168.120.25/32
> 2012-08-14T09:21:24.855155+10:00 s5gw-211 charon: 12[KNL] no local address found in traffic selector 192.168.120.25/32
> 2012-08-14T09:21:24.855334+10:00 s5gw-211 charon: 12[IKE] CHILD_SA svc_04042{2268} established with SPIs c6462264_i cfdda145_o and TS 192.168.120.25/32 === 10.200.15.198/32 
> 2012-08-14T09:21:24.855621+10:00 s5gw-211 charon: 12[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
> 2012-08-14T09:21:24.855962+10:00 s5gw-211 charon: 12[NET] sending packet: from 192.168.0.211[4500] to 192.168.0.126[4500]