[strongSwan] Fwd: Encryption/Decryption with Libipsec - Memory leak issue with charon

Sriram sriram.ec at gmail.com
Fri May 22 08:44:37 CEST 2015


---------- Forwarded message ----------
From: Sriram <sriram.ec at gmail.com>
Date: Fri, May 22, 2015 at 8:47 AM
Subject: [strongSwan] Encryption/Decryption with Libipsec - issue.
To: users at lists.strongswan.org


Hi,

I m  using strongswan-5.3.0 for tunnel establishment. In that I m trying
out libipsec which does userspace encryption/decryption.

In our lab I tested a scenario where I sent,

1. 20Mbps uplink traffic from the device where libipsec is running, to a
remote server.
2. 80Mbps downlink traffic from the remote server to the device where
libipsec is running.

These two traffics are sent simultaneously using iperf tool.
I see that charon's memory usage gradually shoots up, it goes upto 630MB
before the device crashes with out of memory.

Attaching the ipsec configuration at the device for the reference,
# ipsec stautusall
Status of IKE charon daemon (strongSwan 5.3.0, Linux
3.10.49-perf-g9578e9c-dirty, armv7l):
  uptime: 3 hours, since May 21 12:39:32 2015
  malloc: sbrk 262144, mmap 0, used 124296, free 137848
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 5
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg fips-prf gmp
cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke
updown eap-identity eap-md5 xauth-generic xauth-eap
Listening IP addresses:
  10.206.1.195
  192.168.16.1
  192.168.17.1
  192.168.18.1
  192.168.19.1
  192.168.20.1
  192.168.21.1
  192.168.22.1
Connections:
        home:  10.x.x.x....10.x.x.x  IKEv2, dpddelay=200s
        home:   local:  [0005B94234BD at picasso.com] uses EAP_MD5
authentication
        home:   remote: uses pre-shared key authentication
        home:   child:  dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
        home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[0005B94234BD at picasso.com
]...10.x.x..x[a at airvana.com]
        home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r,
rekeying in 20 hours
        home[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        home{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i
000a238e_o
        home{1}:  AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181
pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6
hours
        home{1}:   10.220.10.116/32 === 0.0.0.0/0
# ipsec listall

List of registered IKE algorithms:

  encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des]
TWOFISH_CBC[af-alg]
  integrity:  HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac]
HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]
              HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac]
HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]
              HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac]
HMAC_SHA2_512_512[hmac]
  aead:
  hasher:     HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2]
HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]
  prf:        PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac]
PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
              PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac]
PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]
  dh-group:   MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp]
MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]
              MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp]
MODP_2048_256[gmp] MODP_CUSTOM[gmp]
  random-gen: RNG_STRONG[random] RNG_TRUE[random]
  nonce-gen:  [nonce]

List of loaded Plugins:

charon:
    CUSTOM:libcharon
        NONCE_GEN
        CUSTOM:libcharon-receiver
        CUSTOM:kernel-ipsec
        CUSTOM:kernel-net
    CUSTOM:libcharon-receiver
        HASHER:HASH_SHA1
        RNG:RNG_STRONG
        CUSTOM:socket
aes:
    CRYPTER:AES_CBC-16
    CRYPTER:AES_CBC-24
    CRYPTER:AES_CBC-32
des:
    CRYPTER:3DES_CBC-24
    CRYPTER:DES_CBC-8
    CRYPTER:DES_ECB-8
sha1:
    HASHER:HASH_SHA1
    PRF:PRF_KEYED_SHA1
sha2:
    HASHER:HASH_SHA224
    HASHER:HASH_SHA256
    HASHER:HASH_SHA384
    HASHER:HASH_SHA512
md5:
    HASHER:HASH_MD5
random:
    RNG:RNG_STRONG
    RNG:RNG_TRUE
nonce:
    NONCE_GEN
        RNG:RNG_WEAK
x509:
    CERT_ENCODE:X509
        HASHER:HASH_SHA1
    CERT_DECODE:X509
        HASHER:HASH_SHA1
        PUBKEY:RSA (soft)
        PUBKEY:ECDSA (soft)
        PUBKEY:DSA (soft)
    CERT_ENCODE:X509_AC
    CERT_DECODE:X509_AC
    CERT_ENCODE:X509_CRL
    CERT_DECODE:X509_CRL
    CERT_ENCODE:X509_OCSP_REQUEST
        HASHER:HASH_SHA1
        RNG:RNG_WEAK
    CERT_DECODE:X509_OCSP_RESPONSE
    CERT_ENCODE:PKCS10_REQUEST
    CERT_DECODE:PKCS10_REQUEST
revocation:
    CUSTOM:revocation
        CERT_ENCODE:X509_OCSP_REQUEST (soft)
        CERT_DECODE:X509_OCSP_RESPONSE (soft)
        CERT_DECODE:X509_CRL (soft)
        CERT_DECODE:X509 (soft)
        FETCHER:(null) (soft)
constraints:
    CUSTOM:constraints
        CERT_DECODE:X509 (soft)
pubkey:
    CERT_ENCODE:TRUSTED_PUBKEY
    CERT_DECODE:TRUSTED_PUBKEY
        PUBKEY:RSA (soft)
        PUBKEY:ECDSA (soft)
        PUBKEY:DSA (soft)
pkcs1:
    PRIVKEY:RSA
    PUBKEY:ANY
    PUBKEY:RSA
pkcs7:
    CONTAINER_DECODE:PKCS7
    CONTAINER_ENCODE:PKCS7_DATA
    CONTAINER_ENCODE:PKCS7_SIGNED_DATA
    CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
pkcs8:
    PRIVKEY:ANY
    PRIVKEY:RSA
    PRIVKEY:ECDSA
pgp:
    PRIVKEY:ANY
    PRIVKEY:RSA
    PUBKEY:ANY
    PUBKEY:RSA
    CERT_DECODE:PGP
dnskey:
    PUBKEY:ANY
    PUBKEY:RSA
pem:
    PRIVKEY:ANY
        PRIVKEY:ANY
        HASHER:HASH_MD5 (soft)
    PRIVKEY:RSA
        PRIVKEY:RSA
        HASHER:HASH_MD5 (soft)
    PRIVKEY:ECDSA
        PRIVKEY:ECDSA
        HASHER:HASH_MD5 (soft)
    PRIVKEY:DSA (not loaded)
        PRIVKEY:DSA
        HASHER:HASH_MD5 (soft)
    PUBKEY:ANY
        PUBKEY:ANY
    PUBKEY:RSA
        PUBKEY:RSA
    PUBKEY:ECDSA (not loaded)
        PUBKEY:ECDSA
    PUBKEY:DSA (not loaded)
        PUBKEY:DSA
    CERT_DECODE:ANY
        CERT_DECODE:X509 (soft)
        CERT_DECODE:PGP (soft)
    CERT_DECODE:X509
        CERT_DECODE:X509
    CERT_DECODE:X509_CRL
        CERT_DECODE:X509_CRL
    CERT_DECODE:X509_OCSP_REQUEST (not loaded)
        CERT_DECODE:X509_OCSP_REQUEST
    CERT_DECODE:X509_OCSP_RESPONSE
        CERT_DECODE:X509_OCSP_RESPONSE
    CERT_DECODE:X509_AC
        CERT_DECODE:X509_AC
    CERT_DECODE:PKCS10_REQUEST
        CERT_DECODE:PKCS10_REQUEST
    CERT_DECODE:TRUSTED_PUBKEY
        CERT_DECODE:TRUSTED_PUBKEY
    CERT_DECODE:PGP
        CERT_DECODE:PGP
    CONTAINER_DECODE:PKCS12 (not loaded)
        CONTAINER_DECODE:PKCS12
af-alg:
    CRYPTER:DES_CBC-8
    CRYPTER:DES_ECB-8
    CRYPTER:3DES_CBC-24
    CRYPTER:AES_CBC-16
    CRYPTER:AES_CBC-24
    CRYPTER:AES_CBC-32
    CRYPTER:TWOFISH_CBC-16
    CRYPTER:TWOFISH_CBC-24
    CRYPTER:TWOFISH_CBC-32
fips-prf:
    PRF:PRF_FIPS_SHA1_160
        PRF:PRF_KEYED_SHA1
gmp:
    DH:MODP_2048
        RNG:RNG_STRONG
    DH:MODP_2048_224
        RNG:RNG_STRONG
    DH:MODP_2048_256
        RNG:RNG_STRONG
    DH:MODP_1536
        RNG:RNG_STRONG
    DH:MODP_3072
        RNG:RNG_STRONG
    DH:MODP_4096
        RNG:RNG_STRONG
    DH:MODP_6144
        RNG:RNG_STRONG
    DH:MODP_8192
        RNG:RNG_STRONG
    DH:MODP_1024
        RNG:RNG_STRONG
    DH:MODP_1024_160
        RNG:RNG_STRONG
    DH:MODP_768
        RNG:RNG_STRONG
    DH:MODP_CUSTOM
        RNG:RNG_STRONG
    PRIVKEY:RSA
    PRIVKEY_GEN:RSA
        RNG:RNG_TRUE
    PUBKEY:RSA
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
        HASHER:HASH_SHA1
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
        HASHER:HASH_SHA224
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
        HASHER:HASH_SHA256
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
        HASHER:HASH_SHA384
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
        HASHER:HASH_SHA512
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
        HASHER:HASH_MD5
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
        HASHER:HASH_SHA1
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
        HASHER:HASH_SHA224
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
        HASHER:HASH_SHA256
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
        HASHER:HASH_SHA384
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
        HASHER:HASH_SHA512
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
        HASHER:HASH_MD5
    PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
    PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
        RNG:RNG_WEAK
cmac:
    PRF:PRF_AES128_CMAC
        CRYPTER:AES_CBC-16
    SIGNER:AES_CMAC_96
        CRYPTER:AES_CBC-16
hmac:
    PRF:PRF_HMAC_SHA1
        HASHER:HASH_SHA1
    PRF:PRF_HMAC_MD5
        HASHER:HASH_MD5
    PRF:PRF_HMAC_SHA2_256
        HASHER:HASH_SHA256
    PRF:PRF_HMAC_SHA2_384
        HASHER:HASH_SHA384
    PRF:PRF_HMAC_SHA2_512
        HASHER:HASH_SHA512
    SIGNER:HMAC_SHA1_96
        HASHER:HASH_SHA1
    SIGNER:HMAC_SHA1_128
        HASHER:HASH_SHA1
    SIGNER:HMAC_SHA1_160
        HASHER:HASH_SHA1
    SIGNER:HMAC_MD5_96
        HASHER:HASH_MD5
    SIGNER:HMAC_MD5_128
        HASHER:HASH_MD5
    SIGNER:HMAC_SHA2_256_128
        HASHER:HASH_SHA256
    SIGNER:HMAC_SHA2_256_256
        HASHER:HASH_SHA256
    SIGNER:HMAC_SHA2_384_192
        HASHER:HASH_SHA384
    SIGNER:HMAC_SHA2_384_384
        HASHER:HASH_SHA384
    SIGNER:HMAC_SHA2_512_256
        HASHER:HASH_SHA512
    SIGNER:HMAC_SHA2_512_512
        HASHER:HASH_SHA512
attr:
    CUSTOM:attr
kernel-libipsec:
    CUSTOM:kernel-ipsec
    CUSTOM:kernel-libipsec-router
        CUSTOM:libcharon-receiver
kernel-netlink:
    CUSTOM:kernel-ipsec
    CUSTOM:kernel-net
resolve:
    CUSTOM:resolve
socket-default:
    CUSTOM:socket
        CUSTOM:kernel-ipsec (soft)
stroke:
    CUSTOM:stroke
        PRIVKEY:RSA (soft)
        PRIVKEY:ECDSA (soft)
        PRIVKEY:DSA (soft)
        CERT_DECODE:ANY (soft)
        CERT_DECODE:X509 (soft)
        CERT_DECODE:X509_CRL (soft)
        CERT_DECODE:X509_AC (soft)
        CERT_DECODE:TRUSTED_PUBKEY (soft)
updown:
    CUSTOM:updown
eap-identity:
    EAP_SERVER:ID
    EAP_CLIENT:ID
eap-md5:
    EAP_SERVER:MD5
        HASHER:HASH_MD5
        RNG:RNG_WEAK
    EAP_CLIENT:MD5
        HASHER:HASH_MD5
        RNG:RNG_WEAK
xauth-generic:
    XAUTH_SERVER:generic
    XAUTH_CLIENT:generic
xauth-eap:
    XAUTH_SERVER:eap

# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
        charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1
dmn 1"

conn home
     left=10.x.x.x
     leftid=0005B94234BD at picasso.com
     leftauth=eap-md5
     rightauth=psk
     leftsourceip=%config
     leftfirewall=yes
     ike=3des-sha1-prfsha1-modp1024!
     esp=aes128-sha1!
     right=10.x.x.x
     rightsubnet=0.0.0.0/0
     rightid=%any
     auto=add
     mobike=no
     dpddelay=200s
     dpdaction=clear
     rekey=yes
     ikelifetime=86400
     lifetime=36000
     reauth=no
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev2

 cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file

charon {

        # number of worker threads in charon
        threads = 16

        close_ike_on_child_failure = yes
        retransmit_tries = 20
        retransmit_timeout = 20
        retransmit_base = 1

        keep_alive = 20s
        # send strongswan vendor ID?
        # send_vendor_id = yes

        plugins {

                sql {
                        # loglevel to log into sql database
                        loglevel = -1
                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost
/database
                }
                resolve{
                       file = /etc/resolvtunnel.conf
                }
                kernel-netlink {
                      fwmark = !0x42
                }
                socket-default {
                      fwmark = 0x42
                }
                kernel-libipsec {
                      allow_peer_ts = yes
                }
        }


Let me know if this is an existing issue.. Please let me know if any
further information is required.

Regards,
Sriram.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150522/d7eb0401/attachment-0001.html>


More information about the Users mailing list