[strongSwan] IPsec/IKEv2 tunnels scalability issue with load-tester plugin (using strongSwan 5.0.4)

Chinmaya Dwibedy ckdwibedy at yahoo.com
Thu Aug 8 15:08:54 CEST 2013

Hi Martin,
I really appreciate yours instant response.  I modified
the strongswan codes to set the value of /proc/sys/net/core/xfrm_acq_expires to
1000 seconds (kernel_netlink_ipsec.c) instead of 165 seconds. 
Thereafter I tested in 600 IPsec connections (with modified
code) for 8 times without any issue. Always, it could able bring up all the 600
tunnels at both sides (IKE initiator and responder). Thereafter I increased the
connections from 600 to 1000 and run the scenario four times. In first couple
of runs,  all the IKE/child SAs were
created successfully.  I mean to say,  I used the “#ip xfrm state count” command at
both ends and  found the SAD count to be 2000.
But in 3rd  and 4th  run,  the SAD count was 1788 SAD and 1664. Note that, after
each run, I do #ipsec stop and then #ipsec start command.
Then I reduced the connections from 1000 to 600 and run. Surprisingly
this time, I found only 934 SAD counts where I was expecting 1200.  What I observe/notice, once it fails, it does
not recover and starts failing. Do I have to tune  “xfrm_acq_expires” parameter with different
values and see which value suits to our setup? Please clarify.
Thanks again for your suggestion.

 From: Martin Willi <martin at strongswan.org>
To: Chinmaya Dwibedy <ckdwibedy at yahoo.com> 
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Thursday, August 8, 2013 1:47 PM
Subject: Re: [strongSwan] IPsec/IKEv2 tunnels scalability issue with load-tester plugin (using strongSwan 5.0.4)

> I modified the strongswan codes to set the soft_add_expires_seconds,
> hard_add_expires_seconds, soft_use_expires_seconds and
> hard_use_expires_seconds to 86400 seconds (i.e., 24 hours) in add_sa()
> (kernel_netlink_ipsec.c).

Maybe I was not clear enough: my suggestion was to change the value
of /proc/sys/net/core/xfrm_acq_expires. This is set on line 2669 of

Should the IKE_AUTH exchange take longer than 165s, the kernel will
remove the SA larval created during SPI allocation, and the installation
of the negotiated SA fails.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130808/ed37b063/attachment.html>

More information about the Users mailing list