[strongSwan] Fwd: Encryption/Decryption with Libipsec - Memory leak issue with charon

Miroslav Svoboda goodmirek at goodmirek.cz
Fri May 22 11:08:16 CEST 2015


I suppose you may want to create a new bug report for this issue.
You can do it 
here: https://wiki.strongswan.org/projects/strongswan/issues/new
You would need to create an account, unless you already had one.

Miroslav

On Friday, May 22, 2015 at 8:44:44 AM UTC+2, Sriram wrote:
>
>
> ---------- Forwarded message ----------
> From: Sriram <sriram.ec at gmail.com>
> Date: Fri, May 22, 2015 at 8:47 AM
> Subject: [strongSwan] Encryption/Decryption with Libipsec - issue.
> To: users at lists.strongswan.org
>
>
> Hi,
>
> I m  using strongswan-5.3.0 for tunnel establishment. In that I m trying 
> out libipsec which does userspace encryption/decryption.
>
> In our lab I tested a scenario where I sent, 
>
> 1. 20Mbps uplink traffic from the device where libipsec is running, to a 
> remote server.
> 2. 80Mbps downlink traffic from the remote server to the device where 
> libipsec is running.
>
> These two traffics are sent simultaneously using iperf tool.
> I see that charon's memory usage gradually shoots up, it goes upto 630MB 
> before the device crashes with out of memory.
>
> Attaching the ipsec configuration at the device for the reference,
> # ipsec stautusall
> Status of IKE charon daemon (strongSwan 5.3.0, Linux 
> 3.10.49-perf-g9578e9c-dirty, armv7l):
>   uptime: 3 hours, since May 21 12:39:32 2015
>   malloc: sbrk 262144, mmap 0, used 124296, free 137848
>   worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
> scheduled: 5
>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg 
> fips-prf gmp cmac hmac attr kernel-libipsec kernel-netlink resolve 
> socket-default stroke updown eap-identity eap-md5 xauth-generic xauth-eap
> Listening IP addresses:
>   10.206.1.195
>   192.168.16.1
>   192.168.17.1
>   192.168.18.1
>   192.168.19.1
>   192.168.20.1
>   192.168.21.1
>   192.168.22.1
> Connections:
>         home:  10.x.x.x....10.x.x.x  IKEv2, dpddelay=200s
>         home:   local:  [0005B94234BD at picasso.com] uses EAP_MD5 
> authentication
>         home:   remote: uses pre-shared key authentication
>         home:   child:  dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
> Security Associations (1 up, 0 connecting):
>         home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[
> 0005B94234BD at picasso.com]...10.x.x..x[a at airvana.com]
>         home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r, 
> rekeying in 20 hours
>         home[1]: IKE proposal: 
> 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>         home{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i 
> 000a238e_o
>         home{1}:  AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181 
> pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6 
> hours
>         home{1}:   10.220.10.116/32 === 0.0.0.0/0 
> # ipsec listall
>
> List of registered IKE algorithms:
>
>   encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des] 
> TWOFISH_CBC[af-alg]
>   integrity:  HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac] 
> HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]
>               HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac] 
> HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]
>               HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac] 
> HMAC_SHA2_512_512[hmac]
>   aead:
>   hasher:     HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] 
> HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]
>   prf:        PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac] 
> PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
>               PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac] 
> PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]
>   dh-group:   MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp] 
> MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]
>               MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp] 
> MODP_2048_256[gmp] MODP_CUSTOM[gmp]
>   random-gen: RNG_STRONG[random] RNG_TRUE[random]
>   nonce-gen:  [nonce]
>
> List of loaded Plugins:
>
> charon:
>     CUSTOM:libcharon
>         NONCE_GEN
>         CUSTOM:libcharon-receiver
>         CUSTOM:kernel-ipsec
>         CUSTOM:kernel-net
>     CUSTOM:libcharon-receiver
>         HASHER:HASH_SHA1
>         RNG:RNG_STRONG
>         CUSTOM:socket
> aes:
>     CRYPTER:AES_CBC-16
>     CRYPTER:AES_CBC-24
>     CRYPTER:AES_CBC-32
> des:
>     CRYPTER:3DES_CBC-24
>     CRYPTER:DES_CBC-8
>     CRYPTER:DES_ECB-8
> sha1:
>     HASHER:HASH_SHA1
>     PRF:PRF_KEYED_SHA1
> sha2:
>     HASHER:HASH_SHA224
>     HASHER:HASH_SHA256
>     HASHER:HASH_SHA384
>     HASHER:HASH_SHA512
> md5:
>     HASHER:HASH_MD5
> random:
>     RNG:RNG_STRONG
>     RNG:RNG_TRUE
> nonce:
>     NONCE_GEN
>         RNG:RNG_WEAK
> x509:
>     CERT_ENCODE:X509
>         HASHER:HASH_SHA1
>     CERT_DECODE:X509
>         HASHER:HASH_SHA1
>         PUBKEY:RSA (soft)
>         PUBKEY:ECDSA (soft)
>         PUBKEY:DSA (soft)
>     CERT_ENCODE:X509_AC
>     CERT_DECODE:X509_AC
>     CERT_ENCODE:X509_CRL
>     CERT_DECODE:X509_CRL
>     CERT_ENCODE:X509_OCSP_REQUEST
>         HASHER:HASH_SHA1
>         RNG:RNG_WEAK
>     CERT_DECODE:X509_OCSP_RESPONSE
>     CERT_ENCODE:PKCS10_REQUEST
>     CERT_DECODE:PKCS10_REQUEST
> revocation:
>     CUSTOM:revocation
>         CERT_ENCODE:X509_OCSP_REQUEST (soft)
>         CERT_DECODE:X509_OCSP_RESPONSE (soft)
>         CERT_DECODE:X509_CRL (soft)
>         CERT_DECODE:X509 (soft)
>         FETCHER:(null) (soft)
> constraints:
>     CUSTOM:constraints
>         CERT_DECODE:X509 (soft)
> pubkey:
>     CERT_ENCODE:TRUSTED_PUBKEY
>     CERT_DECODE:TRUSTED_PUBKEY
>         PUBKEY:RSA (soft)
>         PUBKEY:ECDSA (soft)
>         PUBKEY:DSA (soft)
> pkcs1:
>     PRIVKEY:RSA
>     PUBKEY:ANY
>     PUBKEY:RSA
> pkcs7:
>     CONTAINER_DECODE:PKCS7
>     CONTAINER_ENCODE:PKCS7_DATA
>     CONTAINER_ENCODE:PKCS7_SIGNED_DATA
>     CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
> pkcs8:
>     PRIVKEY:ANY
>     PRIVKEY:RSA
>     PRIVKEY:ECDSA
> pgp:
>     PRIVKEY:ANY
>     PRIVKEY:RSA
>     PUBKEY:ANY
>     PUBKEY:RSA
>     CERT_DECODE:PGP
> dnskey:
>     PUBKEY:ANY
>     PUBKEY:RSA
> pem:
>     PRIVKEY:ANY
>         PRIVKEY:ANY
>         HASHER:HASH_MD5 (soft)
>     PRIVKEY:RSA
>         PRIVKEY:RSA
>         HASHER:HASH_MD5 (soft)
>     PRIVKEY:ECDSA
>         PRIVKEY:ECDSA
>         HASHER:HASH_MD5 (soft)
>     PRIVKEY:DSA (not loaded)
>         PRIVKEY:DSA
>         HASHER:HASH_MD5 (soft)
>     PUBKEY:ANY
>         PUBKEY:ANY
>     PUBKEY:RSA
>         PUBKEY:RSA
>     PUBKEY:ECDSA (not loaded)
>         PUBKEY:ECDSA
>     PUBKEY:DSA (not loaded)
>         PUBKEY:DSA
>     CERT_DECODE:ANY
>         CERT_DECODE:X509 (soft)
>         CERT_DECODE:PGP (soft)
>     CERT_DECODE:X509
>         CERT_DECODE:X509
>     CERT_DECODE:X509_CRL
>         CERT_DECODE:X509_CRL
>     CERT_DECODE:X509_OCSP_REQUEST (not loaded)
>         CERT_DECODE:X509_OCSP_REQUEST
>     CERT_DECODE:X509_OCSP_RESPONSE
>         CERT_DECODE:X509_OCSP_RESPONSE
>     CERT_DECODE:X509_AC
>         CERT_DECODE:X509_AC
>     CERT_DECODE:PKCS10_REQUEST
>         CERT_DECODE:PKCS10_REQUEST
>     CERT_DECODE:TRUSTED_PUBKEY
>         CERT_DECODE:TRUSTED_PUBKEY
>     CERT_DECODE:PGP
>         CERT_DECODE:PGP
>     CONTAINER_DECODE:PKCS12 (not loaded)
>         CONTAINER_DECODE:PKCS12
> af-alg:
>     CRYPTER:DES_CBC-8
>     CRYPTER:DES_ECB-8
>     CRYPTER:3DES_CBC-24
>     CRYPTER:AES_CBC-16
>     CRYPTER:AES_CBC-24
>     CRYPTER:AES_CBC-32
>     CRYPTER:TWOFISH_CBC-16
>     CRYPTER:TWOFISH_CBC-24
>     CRYPTER:TWOFISH_CBC-32
> fips-prf:
>     PRF:PRF_FIPS_SHA1_160
>         PRF:PRF_KEYED_SHA1
> gmp:
>     DH:MODP_2048
>         RNG:RNG_STRONG
>     DH:MODP_2048_224
>         RNG:RNG_STRONG
>     DH:MODP_2048_256
>         RNG:RNG_STRONG
>     DH:MODP_1536
>         RNG:RNG_STRONG
>     DH:MODP_3072
>         RNG:RNG_STRONG
>     DH:MODP_4096
>         RNG:RNG_STRONG
>     DH:MODP_6144
>         RNG:RNG_STRONG
>     DH:MODP_8192
>         RNG:RNG_STRONG
>     DH:MODP_1024
>         RNG:RNG_STRONG
>     DH:MODP_1024_160
>         RNG:RNG_STRONG
>     DH:MODP_768
>         RNG:RNG_STRONG
>     DH:MODP_CUSTOM
>         RNG:RNG_STRONG
>     PRIVKEY:RSA
>     PRIVKEY_GEN:RSA
>         RNG:RNG_TRUE
>     PUBKEY:RSA
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
>         HASHER:HASH_SHA1
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
>         HASHER:HASH_SHA224
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
>         HASHER:HASH_SHA256
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
>         HASHER:HASH_SHA384
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
>         HASHER:HASH_SHA512
>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
>         HASHER:HASH_MD5
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
>         HASHER:HASH_SHA1
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
>         HASHER:HASH_SHA224
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
>         HASHER:HASH_SHA256
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
>         HASHER:HASH_SHA384
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
>         HASHER:HASH_SHA512
>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
>         HASHER:HASH_MD5
>     PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
>     PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
>         RNG:RNG_WEAK
> cmac:
>     PRF:PRF_AES128_CMAC
>         CRYPTER:AES_CBC-16
>     SIGNER:AES_CMAC_96
>         CRYPTER:AES_CBC-16
> hmac:
>     PRF:PRF_HMAC_SHA1
>         HASHER:HASH_SHA1
>     PRF:PRF_HMAC_MD5
>         HASHER:HASH_MD5
>     PRF:PRF_HMAC_SHA2_256
>         HASHER:HASH_SHA256
>     PRF:PRF_HMAC_SHA2_384
>         HASHER:HASH_SHA384
>     PRF:PRF_HMAC_SHA2_512
>         HASHER:HASH_SHA512
>     SIGNER:HMAC_SHA1_96
>         HASHER:HASH_SHA1
>     SIGNER:HMAC_SHA1_128
>         HASHER:HASH_SHA1
>     SIGNER:HMAC_SHA1_160
>         HASHER:HASH_SHA1
>     SIGNER:HMAC_MD5_96
>         HASHER:HASH_MD5
>     SIGNER:HMAC_MD5_128
>         HASHER:HASH_MD5
>     SIGNER:HMAC_SHA2_256_128
>         HASHER:HASH_SHA256
>     SIGNER:HMAC_SHA2_256_256
>         HASHER:HASH_SHA256
>     SIGNER:HMAC_SHA2_384_192
>         HASHER:HASH_SHA384
>     SIGNER:HMAC_SHA2_384_384
>         HASHER:HASH_SHA384
>     SIGNER:HMAC_SHA2_512_256
>         HASHER:HASH_SHA512
>     SIGNER:HMAC_SHA2_512_512
>         HASHER:HASH_SHA512
> attr:
>     CUSTOM:attr
> kernel-libipsec:
>     CUSTOM:kernel-ipsec
>     CUSTOM:kernel-libipsec-router
>         CUSTOM:libcharon-receiver
> kernel-netlink:
>     CUSTOM:kernel-ipsec
>     CUSTOM:kernel-net
> resolve:
>     CUSTOM:resolve
> socket-default:
>     CUSTOM:socket
>         CUSTOM:kernel-ipsec (soft)
> stroke:
>     CUSTOM:stroke
>         PRIVKEY:RSA (soft)
>         PRIVKEY:ECDSA (soft)
>         PRIVKEY:DSA (soft)
>         CERT_DECODE:ANY (soft)
>         CERT_DECODE:X509 (soft)
>         CERT_DECODE:X509_CRL (soft)
>         CERT_DECODE:X509_AC (soft)
>         CERT_DECODE:TRUSTED_PUBKEY (soft)
> updown:
>     CUSTOM:updown
> eap-identity:
>     EAP_SERVER:ID
>     EAP_CLIENT:ID
> eap-md5:
>     EAP_SERVER:MD5
>         HASHER:HASH_MD5
>         RNG:RNG_WEAK
>     EAP_CLIENT:MD5
>         HASHER:HASH_MD5
>         RNG:RNG_WEAK
> xauth-generic:
>     XAUTH_SERVER:generic
>     XAUTH_CLIENT:generic
> xauth-eap:
>     XAUTH_SERVER:eap
>
> # cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
>         charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 
> 1 dmn 1"
>
> conn home
>      left=10.x.x.x
>      leftid=0005B94234BD at picasso.com
>      leftauth=eap-md5
>      rightauth=psk
>      leftsourceip=%config
>      leftfirewall=yes
>      ike=3des-sha1-prfsha1-modp1024!
>      esp=aes128-sha1!
>      right=10.x.x.x
>      rightsubnet=0.0.0.0/0
>      rightid=%any
>      auto=add
>      mobike=no
>      dpddelay=200s
>      dpdaction=clear
>      rekey=yes
>      ikelifetime=86400
>      lifetime=36000
>      reauth=no
>      rekeymargin=3m
>      keyingtries=1
>      keyexchange=ikev2
>
>  cat /etc/strongswan.conf 
> # strongswan.conf - strongSwan configuration file
>
> charon {
>
>         # number of worker threads in charon
>         threads = 16
>
>         close_ike_on_child_failure = yes
>         retransmit_tries = 20
>         retransmit_timeout = 20
>         retransmit_base = 1
>
>         keep_alive = 20s
>         # send strongswan vendor ID?
>         # send_vendor_id = yes
>
>         plugins {
>
>                 sql {
>                         # loglevel to log into sql database
>                         loglevel = -1
>                         # URI to the database
>                         # database = sqlite:///path/to/file.db
>                         # database = 
> mysql://user:password@localhost/database
>                 }
>                 resolve{
>                        file = /etc/resolvtunnel.conf
>                 }
>                 kernel-netlink {
>                       fwmark = !0x42
>                 }
>                 socket-default {
>                       fwmark = 0x42
>                 }
>                 kernel-libipsec {
>                       allow_peer_ts = yes
>                 }
>         }
>
>
> Let me know if this is an existing issue.. Please let me know if any 
> further information is required.
>
> Regards,
> Sriram.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150522/b5030905/attachment-0001.html>


More information about the Users mailing list