[strongSwan] IPsec tunnel problems under high load
Martin Willi
martin at strongswan.org
Wed Jul 2 15:15:14 CEST 2014
Hi Noel,
> When my desktop is under high network load (everything over 50 Mbit),
> I can't initiate new TCP connections over the VPN, nor send UDP or ICMP
> packets.
For the local traffic you generate, do you see corresponding ESP packets
leaving your host? Do you see associated ESP packets carrying reply
messages?
> The errors shown in nstat (or netstat -s) increment dramatically when
> that happens.
Do you see any errors in /proc/net/xfrm_stat?
What is your kernel version?
> I already tried incrementing the replay window to over 32, but
> strongSwan just sets it to 0, if I try that.
To configure larger replay windows, charon uses the newer ESN replay
windows configuration Netlink attribute. AFAIK that is not supported in
the "ip" tool, hence it falsely reports 0 as replay window for such SAs.
Regards
Martin
More information about the Users
mailing list