[strongSwan] Encryption/Decryption with Libipsec - issue.
Sriram
sriram.ec at gmail.com
Fri May 22 05:17:49 CEST 2015
Hi,
I m using strongswan-5.3.0 for tunnel establishment. In that I m trying
out libipsec which does userspace encryption/decryption.
In our lab I tested a scenario where I sent,
1. 20Mbps uplink traffic from the device where libipsec is running, to a
remote server.
2. 80Mbps downlink traffic from the remote server to the device where
libipsec is running.
These two traffics are sent simultaneously using iperf tool.
I see that charon's memory usage gradually shoots up, it goes upto 630MB
before the device crashes with out of memory.
Attaching the ipsec configuration at the device for the reference,
# ipsec stautusall
Status of IKE charon daemon (strongSwan 5.3.0, Linux
3.10.49-perf-g9578e9c-dirty, armv7l):
uptime: 3 hours, since May 21 12:39:32 2015
malloc: sbrk 262144, mmap 0, used 124296, free 137848
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg fips-prf gmp
cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke
updown eap-identity eap-md5 xauth-generic xauth-eap
Listening IP addresses:
10.206.1.195
192.168.16.1
192.168.17.1
192.168.18.1
192.168.19.1
192.168.20.1
192.168.21.1
192.168.22.1
Connections:
home: 10.x.x.x....10.x.x.x IKEv2, dpddelay=200s
home: local: [0005B94234BD at picasso.com] uses EAP_MD5
authentication
home: remote: uses pre-shared key authentication
home: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[0005B94234BD at picasso.com
]...10.x.x..x[a at airvana.com]
home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r,
rekeying in 20 hours
home[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
home{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i
000a238e_o
home{1}: AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181
pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6
hours
home{1}: 10.220.10.116/32 === 0.0.0.0/0
# ipsec listall
List of registered IKE algorithms:
encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des]
TWOFISH_CBC[af-alg]
integrity: HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac]
HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]
HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac]
HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]
HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac]
HMAC_SHA2_512_512[hmac]
aead:
hasher: HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2]
HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]
prf: PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac]
PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac]
PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]
dh-group: MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp]
MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]
MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp]
MODP_2048_256[gmp] MODP_CUSTOM[gmp]
random-gen: RNG_STRONG[random] RNG_TRUE[random]
nonce-gen: [nonce]
List of loaded Plugins:
charon:
CUSTOM:libcharon
NONCE_GEN
CUSTOM:libcharon-receiver
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
CUSTOM:libcharon-receiver
HASHER:HASH_SHA1
RNG:RNG_STRONG
CUSTOM:socket
aes:
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
des:
CRYPTER:3DES_CBC-24
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
sha1:
HASHER:HASH_SHA1
PRF:PRF_KEYED_SHA1
sha2:
HASHER:HASH_SHA224
HASHER:HASH_SHA256
HASHER:HASH_SHA384
HASHER:HASH_SHA512
md5:
HASHER:HASH_MD5
random:
RNG:RNG_STRONG
RNG:RNG_TRUE
nonce:
NONCE_GEN
RNG:RNG_WEAK
x509:
CERT_ENCODE:X509
HASHER:HASH_SHA1
CERT_DECODE:X509
HASHER:HASH_SHA1
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
CERT_ENCODE:X509_AC
CERT_DECODE:X509_AC
CERT_ENCODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_ENCODE:X509_OCSP_REQUEST
HASHER:HASH_SHA1
RNG:RNG_WEAK
CERT_DECODE:X509_OCSP_RESPONSE
CERT_ENCODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
revocation:
CUSTOM:revocation
CERT_ENCODE:X509_OCSP_REQUEST (soft)
CERT_DECODE:X509_OCSP_RESPONSE (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509 (soft)
FETCHER:(null) (soft)
constraints:
CUSTOM:constraints
CERT_DECODE:X509 (soft)
pubkey:
CERT_ENCODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
PUBKEY:RSA (soft)
PUBKEY:ECDSA (soft)
PUBKEY:DSA (soft)
pkcs1:
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
pkcs7:
CONTAINER_DECODE:PKCS7
CONTAINER_ENCODE:PKCS7_DATA
CONTAINER_ENCODE:PKCS7_SIGNED_DATA
CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
pkcs8:
PRIVKEY:ANY
PRIVKEY:RSA
PRIVKEY:ECDSA
pgp:
PRIVKEY:ANY
PRIVKEY:RSA
PUBKEY:ANY
PUBKEY:RSA
CERT_DECODE:PGP
dnskey:
PUBKEY:ANY
PUBKEY:RSA
pem:
PRIVKEY:ANY
PRIVKEY:ANY
HASHER:HASH_MD5 (soft)
PRIVKEY:RSA
PRIVKEY:RSA
HASHER:HASH_MD5 (soft)
PRIVKEY:ECDSA
PRIVKEY:ECDSA
HASHER:HASH_MD5 (soft)
PRIVKEY:DSA (not loaded)
PRIVKEY:DSA
HASHER:HASH_MD5 (soft)
PUBKEY:ANY
PUBKEY:ANY
PUBKEY:RSA
PUBKEY:RSA
PUBKEY:ECDSA (not loaded)
PUBKEY:ECDSA
PUBKEY:DSA (not loaded)
PUBKEY:DSA
CERT_DECODE:ANY
CERT_DECODE:X509 (soft)
CERT_DECODE:PGP (soft)
CERT_DECODE:X509
CERT_DECODE:X509
CERT_DECODE:X509_CRL
CERT_DECODE:X509_CRL
CERT_DECODE:X509_OCSP_REQUEST (not loaded)
CERT_DECODE:X509_OCSP_REQUEST
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_OCSP_RESPONSE
CERT_DECODE:X509_AC
CERT_DECODE:X509_AC
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:PKCS10_REQUEST
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:TRUSTED_PUBKEY
CERT_DECODE:PGP
CERT_DECODE:PGP
CONTAINER_DECODE:PKCS12 (not loaded)
CONTAINER_DECODE:PKCS12
af-alg:
CRYPTER:DES_CBC-8
CRYPTER:DES_ECB-8
CRYPTER:3DES_CBC-24
CRYPTER:AES_CBC-16
CRYPTER:AES_CBC-24
CRYPTER:AES_CBC-32
CRYPTER:TWOFISH_CBC-16
CRYPTER:TWOFISH_CBC-24
CRYPTER:TWOFISH_CBC-32
fips-prf:
PRF:PRF_FIPS_SHA1_160
PRF:PRF_KEYED_SHA1
gmp:
DH:MODP_2048
RNG:RNG_STRONG
DH:MODP_2048_224
RNG:RNG_STRONG
DH:MODP_2048_256
RNG:RNG_STRONG
DH:MODP_1536
RNG:RNG_STRONG
DH:MODP_3072
RNG:RNG_STRONG
DH:MODP_4096
RNG:RNG_STRONG
DH:MODP_6144
RNG:RNG_STRONG
DH:MODP_8192
RNG:RNG_STRONG
DH:MODP_1024
RNG:RNG_STRONG
DH:MODP_1024_160
RNG:RNG_STRONG
DH:MODP_768
RNG:RNG_STRONG
DH:MODP_CUSTOM
RNG:RNG_STRONG
PRIVKEY:RSA
PRIVKEY_GEN:RSA
RNG:RNG_TRUE
PUBKEY:RSA
PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
HASHER:HASH_SHA1
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
HASHER:HASH_SHA224
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
HASHER:HASH_SHA256
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
HASHER:HASH_SHA384
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
HASHER:HASH_SHA512
PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
HASHER:HASH_MD5
PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
RNG:RNG_WEAK
cmac:
PRF:PRF_AES128_CMAC
CRYPTER:AES_CBC-16
SIGNER:AES_CMAC_96
CRYPTER:AES_CBC-16
hmac:
PRF:PRF_HMAC_SHA1
HASHER:HASH_SHA1
PRF:PRF_HMAC_MD5
HASHER:HASH_MD5
PRF:PRF_HMAC_SHA2_256
HASHER:HASH_SHA256
PRF:PRF_HMAC_SHA2_384
HASHER:HASH_SHA384
PRF:PRF_HMAC_SHA2_512
HASHER:HASH_SHA512
SIGNER:HMAC_SHA1_96
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_128
HASHER:HASH_SHA1
SIGNER:HMAC_SHA1_160
HASHER:HASH_SHA1
SIGNER:HMAC_MD5_96
HASHER:HASH_MD5
SIGNER:HMAC_MD5_128
HASHER:HASH_MD5
SIGNER:HMAC_SHA2_256_128
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_256_256
HASHER:HASH_SHA256
SIGNER:HMAC_SHA2_384_192
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_384_384
HASHER:HASH_SHA384
SIGNER:HMAC_SHA2_512_256
HASHER:HASH_SHA512
SIGNER:HMAC_SHA2_512_512
HASHER:HASH_SHA512
attr:
CUSTOM:attr
kernel-libipsec:
CUSTOM:kernel-ipsec
CUSTOM:kernel-libipsec-router
CUSTOM:libcharon-receiver
kernel-netlink:
CUSTOM:kernel-ipsec
CUSTOM:kernel-net
resolve:
CUSTOM:resolve
socket-default:
CUSTOM:socket
CUSTOM:kernel-ipsec (soft)
stroke:
CUSTOM:stroke
PRIVKEY:RSA (soft)
PRIVKEY:ECDSA (soft)
PRIVKEY:DSA (soft)
CERT_DECODE:ANY (soft)
CERT_DECODE:X509 (soft)
CERT_DECODE:X509_CRL (soft)
CERT_DECODE:X509_AC (soft)
CERT_DECODE:TRUSTED_PUBKEY (soft)
updown:
CUSTOM:updown
eap-identity:
EAP_SERVER:ID
EAP_CLIENT:ID
eap-md5:
EAP_SERVER:MD5
HASHER:HASH_MD5
RNG:RNG_WEAK
EAP_CLIENT:MD5
HASHER:HASH_MD5
RNG:RNG_WEAK
xauth-generic:
XAUTH_SERVER:generic
XAUTH_CLIENT:generic
xauth-eap:
XAUTH_SERVER:eap
# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1
dmn 1"
conn home
left=10.x.x.x
leftid=0005B94234BD at picasso.com
leftauth=eap-md5
rightauth=psk
leftsourceip=%config
leftfirewall=yes
ike=3des-sha1-prfsha1-modp1024!
esp=aes128-sha1!
right=10.x.x.x
rightsubnet=0.0.0.0/0
rightid=%any
auto=add
mobike=no
dpddelay=200s
dpdaction=clear
rekey=yes
ikelifetime=86400
lifetime=36000
reauth=no
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
close_ike_on_child_failure = yes
retransmit_tries = 20
retransmit_timeout = 20
retransmit_base = 1
keep_alive = 20s
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost
/database
}
resolve{
file = /etc/resolvtunnel.conf
}
kernel-netlink {
fwmark = !0x42
}
socket-default {
fwmark = 0x42
}
kernel-libipsec {
allow_peer_ts = yes
}
}
Let me know if this is an existing issue.. Please let me know if any
further information is required.
Regards,
Sriram.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150522/b37f2ab5/attachment-0001.html>
More information about the Users
mailing list