[strongSwan] Unable to establish all the security associations with 2000 IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

Chinmaya Dwibedy ckdwibedy at yahoo.com
Mon Aug 12 14:24:50 CEST 2013


Hi ,
I changed the “/proc/sys/net/core/xfrm_acq_expires” from 165
to 1000 seconds. What I understand, if an IKEv2 negotiation fails due to a
timeout (during the IKE_AUTH exchange) after a successful IKE_SA_INIT exchange,
then after the timeout (165s by default), charon will retry a new negotiation
from the beginning. I tested with 1000 IPsec tunnels successfully for 10 times.
Always it could able to bring up the tunnels and SAD count was 2000 (both
sides) always. But keeping the xfrm_acq_expires to 1000 seconds and trying to
run with 2000 IPsec tunnels, again started getting the XFRM_MSG_EXPIRE from
kernel. 
Jan  1 04:36:30
14[MGR] check-in of IKE_SA successful.
Jan  1 04:36:37
05[KNL] received a XFRM_MSG_EXPIRE
Jan  1 04:36:37
05[KNL] creating delete job for ESP CHILD_SA with SPI c0235d92 a
nd reqid {806}
Jan  1 04:36:37
03[MGR] checkout IKE_SA by ID
Jan  1 04:36:37
03[JOB] CHILD_SA with reqid 806 not found for delete
Jan  1 04:36:37
05[KNL] received a XFRM_MSG_EXPIRE
Jan  1 04:36:37
05[KNL] creating delete job for ESP CHILD_SA with SPI c3e24128 a
nd reqid {808}
 
Can anyone please clarify the followings?
1)     For increased number of IPsec tunnels
(e.g., 2000, 5000, 10000…), do I need always to change (increase the timeout) the
source code (kernel_netlink_ipsec.c) and then test to figure out which suits
best to our setup?
2)    Is this value is configurable? 
3)    I think, still 165 seconds is quite a
long time.  What might be the possible
cause behind IKE_AUTH exchange taking longer than 165s? Is it processing delay
caused by thread (running at IKE responder end)?
 
 
Here go our configurations
IKE initiator 
strongswan.conf
        threads = 16
        replay_window
= 32
        dos_protection
= no
        block_threshold=2000
        cookie_threshold=2000
        init_limit_half_open=2000
        retransmit_timeout=60
        retransmit_tries=30
        install_virtual_ip=no
        install_routes=no
        close_ike_on_child_failure=yes
        ikesa_table_size = 512
        ikesa_table_segments = 16
        reuse_ikesa =
no
 
 
 load-tester {
                     enable = yes
                     initiators = 40
                     iterations = 50
                     delay = 20
                     responder = 30.30.30.2
                     proposal = aes128-sha1-modp1024
                     initiator_auth = psk
                     responder_auth = psk
                     request_virtual_ip = no
                     ike_rekey = 0
                     child_rekey = 0
                     delete_after_established = no
                     shutdown_when_complete = no
                     #fake_kernel = yes
                  }
 
ipsec.secrets
@srv.strongswan.org %any : PSK "strongSwan"
 
IKE Responder
strongswan.conf
        threads = 16
        replay_window
= 32
        block_threshold=2000
        cookie_threshold=2000
        init_limit_half_open=2000
        half_open_timeout=2000
        dos_protection
= no
        install_virtual_ip=no
        install_routes=no
        close_ike_on_child_failure=yes
        ikesa_table_size = 512
        ikesa_table_segments = 16
        reuse_ikesa =
no
ipsec.conf
conn %default
        ikelifetime=24h
        keylife=23h
        rekeymargin=5m
        keyingtries=1
        keyexchange=ikev2
        ike=aes128-sha1-modp1024!
        mobike=no
 
conn host-host
        left=30.30.30.2
        leftsubnet=30.30.30.2/8
        rightid=%any
        leftauth=psk
        leftfirewall=yes
        right=30.30.30.1
        rightsubnet=30.30.30.1/8
        leftid=@srv.strongswan.org
        rightauth=psk
        type=tunnel
        authby=secret
        rekey=no
        reauth=no
 
ipsec.secrets
@srv.strongswan.org %any : PSK "strongSwan"
 
Regards,
Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130812/4537f4d6/attachment.html>


More information about the Users mailing list