[strongSwan] IPsec/IKEv2 tunnels scalability issue with load-tester plugin (using strongSwan 5.0.4)

Martin Willi martin at strongswan.org
Thu Aug 8 10:17:02 CEST 2013

> I modified the strongswan codes to set the soft_add_expires_seconds,
> hard_add_expires_seconds, soft_use_expires_seconds and
> hard_use_expires_seconds to 86400 seconds (i.e., 24 hours) in add_sa()
> (kernel_netlink_ipsec.c).

Maybe I was not clear enough: my suggestion was to change the value
of /proc/sys/net/core/xfrm_acq_expires. This is set on line 2669 of

Should the IKE_AUTH exchange take longer than 165s, the kernel will
remove the SA larval created during SPI allocation, and the installation
of the negotiated SA fails.


More information about the Users mailing list