[strongSwan] Fwd: Encryption/Decryption with Libipsec - Memory leak issue with charon
Miroslav Svoboda
goodmirek at goodmirek.cz
Fri May 22 11:08:16 CEST 2015
I suppose you may want to create a new bug report for this issue.
You can do it
here: https://wiki.strongswan.org/projects/strongswan/issues/new
You would need to create an account, unless you already had one.
Miroslav
On Friday, May 22, 2015 at 8:44:44 AM UTC+2, Sriram wrote:
>
>
> ---------- Forwarded message ----------
> From: Sriram <sriram.ec at gmail.com>
> Date: Fri, May 22, 2015 at 8:47 AM
> Subject: [strongSwan] Encryption/Decryption with Libipsec - issue.
> To: users at lists.strongswan.org
>
>
> Hi,
>
> I m using strongswan-5.3.0 for tunnel establishment. In that I m trying
> out libipsec which does userspace encryption/decryption.
>
> In our lab I tested a scenario where I sent,
>
> 1. 20Mbps uplink traffic from the device where libipsec is running, to a
> remote server.
> 2. 80Mbps downlink traffic from the remote server to the device where
> libipsec is running.
>
> These two traffics are sent simultaneously using iperf tool.
> I see that charon's memory usage gradually shoots up, it goes upto 630MB
> before the device crashes with out of memory.
>
> Attaching the ipsec configuration at the device for the reference,
> # ipsec stautusall
> Status of IKE charon daemon (strongSwan 5.3.0, Linux
> 3.10.49-perf-g9578e9c-dirty, armv7l):
> uptime: 3 hours, since May 21 12:39:32 2015
> malloc: sbrk 262144, mmap 0, used 124296, free 137848
> worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
> scheduled: 5
> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg
> fips-prf gmp cmac hmac attr kernel-libipsec kernel-netlink resolve
> socket-default stroke updown eap-identity eap-md5 xauth-generic xauth-eap
> Listening IP addresses:
> 10.206.1.195
> 192.168.16.1
> 192.168.17.1
> 192.168.18.1
> 192.168.19.1
> 192.168.20.1
> 192.168.21.1
> 192.168.22.1
> Connections:
> home: 10.x.x.x....10.x.x.x IKEv2, dpddelay=200s
> home: local: [0005B94234BD at picasso.com] uses EAP_MD5
> authentication
> home: remote: uses pre-shared key authentication
> home: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
> Security Associations (1 up, 0 connecting):
> home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[
> 0005B94234BD at picasso.com]...10.x.x..x[a at airvana.com]
> home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r,
> rekeying in 20 hours
> home[1]: IKE proposal:
> 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> home{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i
> 000a238e_o
> home{1}: AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181
> pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6
> hours
> home{1}: 10.220.10.116/32 === 0.0.0.0/0
> # ipsec listall
>
> List of registered IKE algorithms:
>
> encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des]
> TWOFISH_CBC[af-alg]
> integrity: HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac]
> HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]
> HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac]
> HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]
> HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac]
> HMAC_SHA2_512_512[hmac]
> aead:
> hasher: HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2]
> HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]
> prf: PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac]
> PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
> PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac]
> PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]
> dh-group: MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp]
> MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]
> MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp]
> MODP_2048_256[gmp] MODP_CUSTOM[gmp]
> random-gen: RNG_STRONG[random] RNG_TRUE[random]
> nonce-gen: [nonce]
>
> List of loaded Plugins:
>
> charon:
> CUSTOM:libcharon
> NONCE_GEN
> CUSTOM:libcharon-receiver
> CUSTOM:kernel-ipsec
> CUSTOM:kernel-net
> CUSTOM:libcharon-receiver
> HASHER:HASH_SHA1
> RNG:RNG_STRONG
> CUSTOM:socket
> aes:
> CRYPTER:AES_CBC-16
> CRYPTER:AES_CBC-24
> CRYPTER:AES_CBC-32
> des:
> CRYPTER:3DES_CBC-24
> CRYPTER:DES_CBC-8
> CRYPTER:DES_ECB-8
> sha1:
> HASHER:HASH_SHA1
> PRF:PRF_KEYED_SHA1
> sha2:
> HASHER:HASH_SHA224
> HASHER:HASH_SHA256
> HASHER:HASH_SHA384
> HASHER:HASH_SHA512
> md5:
> HASHER:HASH_MD5
> random:
> RNG:RNG_STRONG
> RNG:RNG_TRUE
> nonce:
> NONCE_GEN
> RNG:RNG_WEAK
> x509:
> CERT_ENCODE:X509
> HASHER:HASH_SHA1
> CERT_DECODE:X509
> HASHER:HASH_SHA1
> PUBKEY:RSA (soft)
> PUBKEY:ECDSA (soft)
> PUBKEY:DSA (soft)
> CERT_ENCODE:X509_AC
> CERT_DECODE:X509_AC
> CERT_ENCODE:X509_CRL
> CERT_DECODE:X509_CRL
> CERT_ENCODE:X509_OCSP_REQUEST
> HASHER:HASH_SHA1
> RNG:RNG_WEAK
> CERT_DECODE:X509_OCSP_RESPONSE
> CERT_ENCODE:PKCS10_REQUEST
> CERT_DECODE:PKCS10_REQUEST
> revocation:
> CUSTOM:revocation
> CERT_ENCODE:X509_OCSP_REQUEST (soft)
> CERT_DECODE:X509_OCSP_RESPONSE (soft)
> CERT_DECODE:X509_CRL (soft)
> CERT_DECODE:X509 (soft)
> FETCHER:(null) (soft)
> constraints:
> CUSTOM:constraints
> CERT_DECODE:X509 (soft)
> pubkey:
> CERT_ENCODE:TRUSTED_PUBKEY
> CERT_DECODE:TRUSTED_PUBKEY
> PUBKEY:RSA (soft)
> PUBKEY:ECDSA (soft)
> PUBKEY:DSA (soft)
> pkcs1:
> PRIVKEY:RSA
> PUBKEY:ANY
> PUBKEY:RSA
> pkcs7:
> CONTAINER_DECODE:PKCS7
> CONTAINER_ENCODE:PKCS7_DATA
> CONTAINER_ENCODE:PKCS7_SIGNED_DATA
> CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
> pkcs8:
> PRIVKEY:ANY
> PRIVKEY:RSA
> PRIVKEY:ECDSA
> pgp:
> PRIVKEY:ANY
> PRIVKEY:RSA
> PUBKEY:ANY
> PUBKEY:RSA
> CERT_DECODE:PGP
> dnskey:
> PUBKEY:ANY
> PUBKEY:RSA
> pem:
> PRIVKEY:ANY
> PRIVKEY:ANY
> HASHER:HASH_MD5 (soft)
> PRIVKEY:RSA
> PRIVKEY:RSA
> HASHER:HASH_MD5 (soft)
> PRIVKEY:ECDSA
> PRIVKEY:ECDSA
> HASHER:HASH_MD5 (soft)
> PRIVKEY:DSA (not loaded)
> PRIVKEY:DSA
> HASHER:HASH_MD5 (soft)
> PUBKEY:ANY
> PUBKEY:ANY
> PUBKEY:RSA
> PUBKEY:RSA
> PUBKEY:ECDSA (not loaded)
> PUBKEY:ECDSA
> PUBKEY:DSA (not loaded)
> PUBKEY:DSA
> CERT_DECODE:ANY
> CERT_DECODE:X509 (soft)
> CERT_DECODE:PGP (soft)
> CERT_DECODE:X509
> CERT_DECODE:X509
> CERT_DECODE:X509_CRL
> CERT_DECODE:X509_CRL
> CERT_DECODE:X509_OCSP_REQUEST (not loaded)
> CERT_DECODE:X509_OCSP_REQUEST
> CERT_DECODE:X509_OCSP_RESPONSE
> CERT_DECODE:X509_OCSP_RESPONSE
> CERT_DECODE:X509_AC
> CERT_DECODE:X509_AC
> CERT_DECODE:PKCS10_REQUEST
> CERT_DECODE:PKCS10_REQUEST
> CERT_DECODE:TRUSTED_PUBKEY
> CERT_DECODE:TRUSTED_PUBKEY
> CERT_DECODE:PGP
> CERT_DECODE:PGP
> CONTAINER_DECODE:PKCS12 (not loaded)
> CONTAINER_DECODE:PKCS12
> af-alg:
> CRYPTER:DES_CBC-8
> CRYPTER:DES_ECB-8
> CRYPTER:3DES_CBC-24
> CRYPTER:AES_CBC-16
> CRYPTER:AES_CBC-24
> CRYPTER:AES_CBC-32
> CRYPTER:TWOFISH_CBC-16
> CRYPTER:TWOFISH_CBC-24
> CRYPTER:TWOFISH_CBC-32
> fips-prf:
> PRF:PRF_FIPS_SHA1_160
> PRF:PRF_KEYED_SHA1
> gmp:
> DH:MODP_2048
> RNG:RNG_STRONG
> DH:MODP_2048_224
> RNG:RNG_STRONG
> DH:MODP_2048_256
> RNG:RNG_STRONG
> DH:MODP_1536
> RNG:RNG_STRONG
> DH:MODP_3072
> RNG:RNG_STRONG
> DH:MODP_4096
> RNG:RNG_STRONG
> DH:MODP_6144
> RNG:RNG_STRONG
> DH:MODP_8192
> RNG:RNG_STRONG
> DH:MODP_1024
> RNG:RNG_STRONG
> DH:MODP_1024_160
> RNG:RNG_STRONG
> DH:MODP_768
> RNG:RNG_STRONG
> DH:MODP_CUSTOM
> RNG:RNG_STRONG
> PRIVKEY:RSA
> PRIVKEY_GEN:RSA
> RNG:RNG_TRUE
> PUBKEY:RSA
> PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
> HASHER:HASH_SHA1
> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
> HASHER:HASH_SHA224
> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
> HASHER:HASH_SHA256
> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
> HASHER:HASH_SHA384
> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
> HASHER:HASH_SHA512
> PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
> HASHER:HASH_MD5
> PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
> HASHER:HASH_SHA1
> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
> HASHER:HASH_SHA224
> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
> HASHER:HASH_SHA256
> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
> HASHER:HASH_SHA384
> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
> HASHER:HASH_SHA512
> PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
> HASHER:HASH_MD5
> PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
> PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
> RNG:RNG_WEAK
> cmac:
> PRF:PRF_AES128_CMAC
> CRYPTER:AES_CBC-16
> SIGNER:AES_CMAC_96
> CRYPTER:AES_CBC-16
> hmac:
> PRF:PRF_HMAC_SHA1
> HASHER:HASH_SHA1
> PRF:PRF_HMAC_MD5
> HASHER:HASH_MD5
> PRF:PRF_HMAC_SHA2_256
> HASHER:HASH_SHA256
> PRF:PRF_HMAC_SHA2_384
> HASHER:HASH_SHA384
> PRF:PRF_HMAC_SHA2_512
> HASHER:HASH_SHA512
> SIGNER:HMAC_SHA1_96
> HASHER:HASH_SHA1
> SIGNER:HMAC_SHA1_128
> HASHER:HASH_SHA1
> SIGNER:HMAC_SHA1_160
> HASHER:HASH_SHA1
> SIGNER:HMAC_MD5_96
> HASHER:HASH_MD5
> SIGNER:HMAC_MD5_128
> HASHER:HASH_MD5
> SIGNER:HMAC_SHA2_256_128
> HASHER:HASH_SHA256
> SIGNER:HMAC_SHA2_256_256
> HASHER:HASH_SHA256
> SIGNER:HMAC_SHA2_384_192
> HASHER:HASH_SHA384
> SIGNER:HMAC_SHA2_384_384
> HASHER:HASH_SHA384
> SIGNER:HMAC_SHA2_512_256
> HASHER:HASH_SHA512
> SIGNER:HMAC_SHA2_512_512
> HASHER:HASH_SHA512
> attr:
> CUSTOM:attr
> kernel-libipsec:
> CUSTOM:kernel-ipsec
> CUSTOM:kernel-libipsec-router
> CUSTOM:libcharon-receiver
> kernel-netlink:
> CUSTOM:kernel-ipsec
> CUSTOM:kernel-net
> resolve:
> CUSTOM:resolve
> socket-default:
> CUSTOM:socket
> CUSTOM:kernel-ipsec (soft)
> stroke:
> CUSTOM:stroke
> PRIVKEY:RSA (soft)
> PRIVKEY:ECDSA (soft)
> PRIVKEY:DSA (soft)
> CERT_DECODE:ANY (soft)
> CERT_DECODE:X509 (soft)
> CERT_DECODE:X509_CRL (soft)
> CERT_DECODE:X509_AC (soft)
> CERT_DECODE:TRUSTED_PUBKEY (soft)
> updown:
> CUSTOM:updown
> eap-identity:
> EAP_SERVER:ID
> EAP_CLIENT:ID
> eap-md5:
> EAP_SERVER:MD5
> HASHER:HASH_MD5
> RNG:RNG_WEAK
> EAP_CLIENT:MD5
> HASHER:HASH_MD5
> RNG:RNG_WEAK
> xauth-generic:
> XAUTH_SERVER:generic
> XAUTH_CLIENT:generic
> xauth-eap:
> XAUTH_SERVER:eap
>
> # cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
> charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl
> 1 dmn 1"
>
> conn home
> left=10.x.x.x
> leftid=0005B94234BD at picasso.com
> leftauth=eap-md5
> rightauth=psk
> leftsourceip=%config
> leftfirewall=yes
> ike=3des-sha1-prfsha1-modp1024!
> esp=aes128-sha1!
> right=10.x.x.x
> rightsubnet=0.0.0.0/0
> rightid=%any
> auto=add
> mobike=no
> dpddelay=200s
> dpdaction=clear
> rekey=yes
> ikelifetime=86400
> lifetime=36000
> reauth=no
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
>
> cat /etc/strongswan.conf
> # strongswan.conf - strongSwan configuration file
>
> charon {
>
> # number of worker threads in charon
> threads = 16
>
> close_ike_on_child_failure = yes
> retransmit_tries = 20
> retransmit_timeout = 20
> retransmit_base = 1
>
> keep_alive = 20s
> # send strongswan vendor ID?
> # send_vendor_id = yes
>
> plugins {
>
> sql {
> # loglevel to log into sql database
> loglevel = -1
> # URI to the database
> # database = sqlite:///path/to/file.db
> # database =
> mysql://user:password@localhost/database
> }
> resolve{
> file = /etc/resolvtunnel.conf
> }
> kernel-netlink {
> fwmark = !0x42
> }
> socket-default {
> fwmark = 0x42
> }
> kernel-libipsec {
> allow_peer_ts = yes
> }
> }
>
>
> Let me know if this is an existing issue.. Please let me know if any
> further information is required.
>
> Regards,
> Sriram.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150522/b5030905/attachment-0001.html>
More information about the Users
mailing list