[strongSwan] IPsec tunnel problems under high load
Noel Kuntze
noel at familie-kuntze.de
Wed Jul 2 16:58:01 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Martin,
No, I don't see ESP packets for my local traffic leaving my host.
/proc/net/xfrm_stat doesn't exist on this host, but the modules are all loaded.
The kernel version is 3.10.45.
(Sorry for the duplicate email. I only noticed my error when it was already too late)
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 02.07.2014 15:15, schrieb Martin Willi:
> Hi Noel,
>
>> When my desktop is under high network load (everything over 50 Mbit),
>> I can't initiate new TCP connections over the VPN, nor send UDP or ICMP
>> packets.
>
> For the local traffic you generate, do you see corresponding ESP packets
> leaving your host? Do you see associated ESP packets carrying reply
> messages?
>
>> The errors shown in nstat (or netstat -s) increment dramatically when
>> that happens.
>
> Do you see any errors in /proc/net/xfrm_stat?
>
> What is your kernel version?
>
>> I already tried incrementing the replay window to over 32, but
>> strongSwan just sets it to 0, if I try that.
>
> To configure larger replay windows, charon uses the newer ESN replay
> windows configuration Netlink attribute. AFAIK that is not supported in
> the "ip" tool, hence it falsely reports 0 as replay window for such SAs.
>
> Regards
> Martin
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTtB35AAoJEDg5KY9j7GZYnbMP/1U69qjo5DtkgdtcUCFIAGV0
rwpsmRZLg2v08HZIOGxBmdY+rrFV82XE6FiMoHU+RA9d2v9pzihB1h+1j+smIZmU
fMgt3++o5s+2XHU643oTkSoWCxbKWGM8mgOcqfNTOiLiNsGGYrvDqSVxf0aVB4lY
akoNnBll0WNp387G/7x0w1pzuo+sK47vUWGXmQ7vys99WklXWYKukyuLV3tgK49P
ifmV8JcvkixWvBzyVdsAWhBmmbcQuLUoyAyuwF5gbbYg5P7s/gZPcfxsy+L0g70D
ZY7pNs0TIUgGOtseE1H2ftcMMHHjJ6fJPQ9rAeB3gJDcs2+YwXquvi5QX1l9AJ8n
LAbvRzqGfAZAQrAvejizHlbynwS0X124DTNHW2LvHiFmJ0vMDMUPmbjtT9Cjtqyh
pxQDdroPUxu+TuTSWpjEdVPepX3M2O0YFd3tztjcMFsZF359ZpuNnDcq3xDLHtCZ
qexfA6gkLwKKrbGBW7OODG1wH5sx8BOii5U+OrOtDVCUANmgFGkyTv8RpvNIpxqO
hm/ahwsjs4rjK2tRLnIZZQHqbSd26sdyla3uoN+5WCRlPLGywRYs0wkehIjJPaij
1XjBEkvgx+TzbTSQ0CemBF0Q9hquBXxI1rWuCYXFs2W02ga+TKMqKbpYWASph1bX
3aVovpL/aj/YDy62ckVM
=wZzh
-----END PGP SIGNATURE-----
More information about the Users
mailing list