[strongSwan] Multiple Ipsec connections thru one ipsec.conf

Noel Kuntze noel at familie-kuntze.de
Wed Feb 11 22:57:10 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Meenakshi,

If you have problems with buffering space, then the charon worker threads obviously can not
work on all the IKE messages faster than it receives them. Increasing the buffer space would only
delay the point in time when the error occurs. I think you need to both increase the number of workers or
segment the IKE SA table. Refer to [1] for the latter. Changing the number of worker threads is done by setting
charon.threads in strongswan.conf. Consult the man page of strongswan.conf for the correct notation of the configuration
of strongswan.conf.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 11.02.2015 um 22:46 schrieb meenakshi bangad:
>  I am trying to bring multiple clients up using ipsec.conf from a single machine. I can bring upto 50 connections up specifying a new connection in (conn) section of
>  ipsec.conf on the client. everything works fine until I try load test on these IP's. After a fixed number of packets I get an error "No Buffer space available".
> 
>  I changed the sysctl settings to allot more buffer space for reading and writing of tcp, but nothing works. During this time the management interface has no issues.
>  Seems like the 50 tunnels I created max out on memory etc. I have to wait for about 10 minutes and the connections
>  are back to normal or restart ipsec. Can you please advise what can be done?
> 
>   Sample Config on the client
> #Default for all the client connections
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=2m
>         keyingtries=1
>         keyexchange=ikev1
>
>
>         left=10.101.248.153
>         leftsourceip=%config
>         leftauth=pubkey
>         leftauth2=xauth
>         leftfirewall=yes
>         right=10.101.248.152
>         rightid="C=CH, O=strongSwan, CN=vpntest.x.com <http://vpntest.x.com>"
>         rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>         rightauth=pubkey
> conn P2UJjggrNxA8Vcx_119a1d
>    leftcert=P2UJjggrNxA8Vcx_119a1dCert.pem
>    leftid="C=CH, O=strongSwan, CN=P2UJjggrNxA8Vcx_119a1d"
>    xauth_identity=P2UJjggrNxA8Vcx_119a1d
>    auto=add
>
> conn P2UJjhgrNxA8Vcx_119a1d
>    leftcert=P2UJjhgrNxA8Vcx_119a1dCert.pem
>    leftid="C=CH, O=strongSwan, CN=P2UJjhgrNxA8Vcx_119a1d"
>    xauth_identity=P2UJjhgrNxA8Vcx_119a1d
>    auto=add
>
> thanks,
>
> M
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU29A0AAoJEDg5KY9j7GZY5yMP/07FBw+X3aeIWo3lmi+9KAXr
n2X6P8u9SrtgoxPZDVPOlvd641FNuuJw1rzfuLpZgrADvDxBsCOB+dOsdZQJ2rXc
/spPUjCRJi1MlAHW52VNwzQQdLVjQtt6waBm8lswhCaDbJZgjNGMvvd8Jk42fGgM
E9XqnHaipt0xdZpojTU9TcyOyrgZ3Fv0d2fbwNbtyICq1xcPNKDbKet63AtmZc9Q
aAqnkcP6i9mipox0sLIVTM3PXjAReNn3qskSwQROhxAJR+hr04fskcLJ2qn+ipa4
wANfiE4dFZO204kVK+hZyRfZjbfXnX8c79SH0P4k3vlJhrSzzrLebUdDBwmwsPR5
2nTz4QA1RpqPk1XmV9CCkOS7FnNF4q1jGCP5LfFgIaQVR0ZEMlMgFsLJz/WYI4oe
x3Jg61XaNl8POgJkGIiUQEZ2xM6+a4eOFd0zjOVJl30p+znnTNxlJYCBqBDlTU5N
2cPIJQe54tPLEAtwaA20OL/s2HFx3YInlwn+gNPFcHZCI4UrtlqjD59wKg9Q6MAX
12xWQIXTlOQoBiOG+hohEhT+6QIfzaZFNqkbE5HAJ6/qIY/hviQM/QarLnV+89TS
C+UbOKIMUbCOabczi1jr1dGNl1Xt1yHq0BCEGUaGqOEj2iJ/AVeCqU5cBh/g2j78
ewo2YjANbHEOTCn+DDa7
=oMo9
-----END PGP SIGNATURE-----




More information about the Users mailing list