[strongSwan] IPsec tunnel problems under high load

Noel Kuntze noel at familie-kuntze.de
Wed Jul 2 14:51:03 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

My desktop PC is connected to a server in my LAN over IPsec. The server is used, among other things, as DNS resolver.
When my desktop is under  high network load (everything over 50 Mbit), I can't initiate new TCP connections over the VPN, nor send UDP or ICMP packets.
When I try to ping the server, I just get "connect: No buffer space available". DNS requests just time out and trying to ssh to the server just yields a similiar error as ping does.
An already established ssh connection works just fine, though.
The errors shown in nstat (or netstat -s) increment dramatically when that happens.
When I tear down the tunnel and establish it again, the problem disappears.
My desktop PC gets a "virtual" IP for use in the VPN. If I try to ping that IP from the server, it times out.
If I ping the LAN IP of my desktop PC though, it works just fine.

Did anyone have such a problem and how do I fix that?
I already tried incrementing the replay window to over 32, but strongSwan just sets it to 0, if I try that.
(charon.replay_window)

Regards,
Noel Kuntze

- -- 
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTtAA2AAoJEDg5KY9j7GZYRawP/RTVyGjVu9nYXWRR4rs61G79
OG0QasSfB9Y7+W/yaSHS4pphDbFAAVGXm2JaSwVVF5/8OvRMl3Z7TA/P5syjH5p3
SfzZwf7iL337Cr0q2XTeFCTS+bwl4rgbIpHhOGjoi4BGgmlcoadNgLKa00M8t9zI
WL7CiJQlrUTpTykxMyCtJA6QR8cwSh3lP9Gxvt4yFh7/ttmSaDEQz17paevexYsh
47CUGhjj61yY+eoAC1fwACe6TaLWUO6i8IZoS1QLnpiySPKEWFb/MDgA9Xrtj8PO
b9lRO4CGTUTeEg8k9RPdkbJGl9J/ZxLt2auk1iGittjT1h6FzB9/PjtpQrOl7PPh
CSl3s5e5uWySeglMnyHZL9RXGpq8niLwSy2bLDJK4v34iRo19Yu+Pkb6jaxf81dz
a13xCRVMgol0DnccUmTfuUCbu9Cm+VywY6caeiAnI8CNQkyzIYIVxe68eDOu5+8Q
pwinJKjhR10C1KCYU+DdCBqojyS3Za2bWJ/zypZWh++IRAwhKJ3OUMX0+P7wddSl
lCzJBh1WWn3PhnMERI93AmoRLKdlVx+7dHdDIfACWMf4ql7Tm0T7BkaWqfsB5LpK
Bc+XaspFuyNb9CA7J0RPYlWJFA1bIZApQyF8h+WODO9LJd76xYPF7vCmx46WuRAj
44VK4HBWjZE/6Oj5qDTn
=KFjR
-----END PGP SIGNATURE-----

More information about the Users mailing list