[strongSwan] Fwd: Encryption/Decryption with Libipsec - Memory leak issue with charon

Sriram sriram.ec at gmail.com
Fri May 22 11:18:54 CEST 2015


Thanks Miroslav. I did that.

Regards,
Sriram

On Fri, May 22, 2015 at 2:38 PM, Miroslav Svoboda <goodmirek at goodmirek.cz>
wrote:

> I suppose you may want to create a new bug report for this issue.
> You can do it here:
> https://wiki.strongswan.org/projects/strongswan/issues/new
> You would need to create an account, unless you already had one.
>
> Miroslav
>
> On Friday, May 22, 2015 at 8:44:44 AM UTC+2, Sriram wrote:
>>
>>
>> ---------- Forwarded message ----------
>> From: Sriram <sriram.ec at gmail.com>
>> Date: Fri, May 22, 2015 at 8:47 AM
>> Subject: [strongSwan] Encryption/Decryption with Libipsec - issue.
>> To: users at lists.strongswan.org
>>
>>
>> Hi,
>>
>> I m  using strongswan-5.3.0 for tunnel establishment. In that I m trying
>> out libipsec which does userspace encryption/decryption.
>>
>> In our lab I tested a scenario where I sent,
>>
>> 1. 20Mbps uplink traffic from the device where libipsec is running, to a
>> remote server.
>> 2. 80Mbps downlink traffic from the remote server to the device where
>> libipsec is running.
>>
>> These two traffics are sent simultaneously using iperf tool.
>> I see that charon's memory usage gradually shoots up, it goes upto 630MB
>> before the device crashes with out of memory.
>>
>> Attaching the ipsec configuration at the device for the reference,
>> # ipsec stautusall
>> Status of IKE charon daemon (strongSwan 5.3.0, Linux
>> 3.10.49-perf-g9578e9c-dirty, armv7l):
>>   uptime: 3 hours, since May 21 12:39:32 2015
>>   malloc: sbrk 262144, mmap 0, used 124296, free 137848
>>   worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
>> scheduled: 5
>>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg
>> fips-prf gmp cmac hmac attr kernel-libipsec kernel-netlink resolve
>> socket-default stroke updown eap-identity eap-md5 xauth-generic xauth-eap
>> Listening IP addresses:
>>   10.206.1.195
>>   192.168.16.1
>>   192.168.17.1
>>   192.168.18.1
>>   192.168.19.1
>>   192.168.20.1
>>   192.168.21.1
>>   192.168.22.1
>> Connections:
>>         home:  10.x.x.x....10.x.x.x  IKEv2, dpddelay=200s
>>         home:   local:  [0005B94234BD at picasso.com] uses EAP_MD5
>> authentication
>>         home:   remote: uses pre-shared key authentication
>>         home:   child:  dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
>> Security Associations (1 up, 0 connecting):
>>         home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[
>> 0005B94234BD at picasso.com]...10.x.x..x[a at airvana.com]
>>         home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r,
>> rekeying in 20 hours
>>         home[1]: IKE proposal:
>> 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>         home{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i
>> 000a238e_o
>>         home{1}:  AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181
>> pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6
>> hours
>>         home{1}:   10.220.10.116/32 === 0.0.0.0/0
>> # ipsec listall
>>
>> List of registered IKE algorithms:
>>
>>   encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des]
>> TWOFISH_CBC[af-alg]
>>   integrity:  HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac]
>> HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]
>>               HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac]
>> HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]
>>               HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac]
>> HMAC_SHA2_512_512[hmac]
>>   aead:
>>   hasher:     HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2]
>> HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]
>>   prf:        PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac]
>> PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
>>               PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac]
>> PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]
>>   dh-group:   MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp]
>> MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]
>>               MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp]
>> MODP_2048_256[gmp] MODP_CUSTOM[gmp]
>>   random-gen: RNG_STRONG[random] RNG_TRUE[random]
>>   nonce-gen:  [nonce]
>>
>> List of loaded Plugins:
>>
>> charon:
>>     CUSTOM:libcharon
>>         NONCE_GEN
>>         CUSTOM:libcharon-receiver
>>         CUSTOM:kernel-ipsec
>>         CUSTOM:kernel-net
>>     CUSTOM:libcharon-receiver
>>         HASHER:HASH_SHA1
>>         RNG:RNG_STRONG
>>         CUSTOM:socket
>> aes:
>>     CRYPTER:AES_CBC-16
>>     CRYPTER:AES_CBC-24
>>     CRYPTER:AES_CBC-32
>> des:
>>     CRYPTER:3DES_CBC-24
>>     CRYPTER:DES_CBC-8
>>     CRYPTER:DES_ECB-8
>> sha1:
>>     HASHER:HASH_SHA1
>>     PRF:PRF_KEYED_SHA1
>> sha2:
>>     HASHER:HASH_SHA224
>>     HASHER:HASH_SHA256
>>     HASHER:HASH_SHA384
>>     HASHER:HASH_SHA512
>> md5:
>>     HASHER:HASH_MD5
>> random:
>>     RNG:RNG_STRONG
>>     RNG:RNG_TRUE
>> nonce:
>>     NONCE_GEN
>>         RNG:RNG_WEAK
>> x509:
>>     CERT_ENCODE:X509
>>         HASHER:HASH_SHA1
>>     CERT_DECODE:X509
>>         HASHER:HASH_SHA1
>>         PUBKEY:RSA (soft)
>>         PUBKEY:ECDSA (soft)
>>         PUBKEY:DSA (soft)
>>     CERT_ENCODE:X509_AC
>>     CERT_DECODE:X509_AC
>>     CERT_ENCODE:X509_CRL
>>     CERT_DECODE:X509_CRL
>>     CERT_ENCODE:X509_OCSP_REQUEST
>>         HASHER:HASH_SHA1
>>         RNG:RNG_WEAK
>>     CERT_DECODE:X509_OCSP_RESPONSE
>>     CERT_ENCODE:PKCS10_REQUEST
>>     CERT_DECODE:PKCS10_REQUEST
>> revocation:
>>     CUSTOM:revocation
>>         CERT_ENCODE:X509_OCSP_REQUEST (soft)
>>         CERT_DECODE:X509_OCSP_RESPONSE (soft)
>>         CERT_DECODE:X509_CRL (soft)
>>         CERT_DECODE:X509 (soft)
>>         FETCHER:(null) (soft)
>> constraints:
>>     CUSTOM:constraints
>>         CERT_DECODE:X509 (soft)
>> pubkey:
>>     CERT_ENCODE:TRUSTED_PUBKEY
>>     CERT_DECODE:TRUSTED_PUBKEY
>>         PUBKEY:RSA (soft)
>>         PUBKEY:ECDSA (soft)
>>         PUBKEY:DSA (soft)
>> pkcs1:
>>     PRIVKEY:RSA
>>     PUBKEY:ANY
>>     PUBKEY:RSA
>> pkcs7:
>>     CONTAINER_DECODE:PKCS7
>>     CONTAINER_ENCODE:PKCS7_DATA
>>     CONTAINER_ENCODE:PKCS7_SIGNED_DATA
>>     CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
>> pkcs8:
>>     PRIVKEY:ANY
>>     PRIVKEY:RSA
>>     PRIVKEY:ECDSA
>> pgp:
>>     PRIVKEY:ANY
>>     PRIVKEY:RSA
>>     PUBKEY:ANY
>>     PUBKEY:RSA
>>     CERT_DECODE:PGP
>> dnskey:
>>     PUBKEY:ANY
>>     PUBKEY:RSA
>> pem:
>>     PRIVKEY:ANY
>>         PRIVKEY:ANY
>>         HASHER:HASH_MD5 (soft)
>>     PRIVKEY:RSA
>>         PRIVKEY:RSA
>>         HASHER:HASH_MD5 (soft)
>>     PRIVKEY:ECDSA
>>         PRIVKEY:ECDSA
>>         HASHER:HASH_MD5 (soft)
>>     PRIVKEY:DSA (not loaded)
>>         PRIVKEY:DSA
>>         HASHER:HASH_MD5 (soft)
>>     PUBKEY:ANY
>>         PUBKEY:ANY
>>     PUBKEY:RSA
>>         PUBKEY:RSA
>>     PUBKEY:ECDSA (not loaded)
>>         PUBKEY:ECDSA
>>     PUBKEY:DSA (not loaded)
>>         PUBKEY:DSA
>>     CERT_DECODE:ANY
>>         CERT_DECODE:X509 (soft)
>>         CERT_DECODE:PGP (soft)
>>     CERT_DECODE:X509
>>         CERT_DECODE:X509
>>     CERT_DECODE:X509_CRL
>>         CERT_DECODE:X509_CRL
>>     CERT_DECODE:X509_OCSP_REQUEST (not loaded)
>>         CERT_DECODE:X509_OCSP_REQUEST
>>     CERT_DECODE:X509_OCSP_RESPONSE
>>         CERT_DECODE:X509_OCSP_RESPONSE
>>     CERT_DECODE:X509_AC
>>         CERT_DECODE:X509_AC
>>     CERT_DECODE:PKCS10_REQUEST
>>         CERT_DECODE:PKCS10_REQUEST
>>     CERT_DECODE:TRUSTED_PUBKEY
>>         CERT_DECODE:TRUSTED_PUBKEY
>>     CERT_DECODE:PGP
>>         CERT_DECODE:PGP
>>     CONTAINER_DECODE:PKCS12 (not loaded)
>>         CONTAINER_DECODE:PKCS12
>> af-alg:
>>     CRYPTER:DES_CBC-8
>>     CRYPTER:DES_ECB-8
>>     CRYPTER:3DES_CBC-24
>>     CRYPTER:AES_CBC-16
>>     CRYPTER:AES_CBC-24
>>     CRYPTER:AES_CBC-32
>>     CRYPTER:TWOFISH_CBC-16
>>     CRYPTER:TWOFISH_CBC-24
>>     CRYPTER:TWOFISH_CBC-32
>> fips-prf:
>>     PRF:PRF_FIPS_SHA1_160
>>         PRF:PRF_KEYED_SHA1
>> gmp:
>>     DH:MODP_2048
>>         RNG:RNG_STRONG
>>     DH:MODP_2048_224
>>         RNG:RNG_STRONG
>>     DH:MODP_2048_256
>>         RNG:RNG_STRONG
>>     DH:MODP_1536
>>         RNG:RNG_STRONG
>>     DH:MODP_3072
>>         RNG:RNG_STRONG
>>     DH:MODP_4096
>>         RNG:RNG_STRONG
>>     DH:MODP_6144
>>         RNG:RNG_STRONG
>>     DH:MODP_8192
>>         RNG:RNG_STRONG
>>     DH:MODP_1024
>>         RNG:RNG_STRONG
>>     DH:MODP_1024_160
>>         RNG:RNG_STRONG
>>     DH:MODP_768
>>         RNG:RNG_STRONG
>>     DH:MODP_CUSTOM
>>         RNG:RNG_STRONG
>>     PRIVKEY:RSA
>>     PRIVKEY_GEN:RSA
>>         RNG:RNG_TRUE
>>     PUBKEY:RSA
>>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
>>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
>>         HASHER:HASH_SHA1
>>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
>>         HASHER:HASH_SHA224
>>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
>>         HASHER:HASH_SHA256
>>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
>>         HASHER:HASH_SHA384
>>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
>>         HASHER:HASH_SHA512
>>     PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
>>         HASHER:HASH_MD5
>>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
>>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
>>         HASHER:HASH_SHA1
>>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
>>         HASHER:HASH_SHA224
>>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
>>         HASHER:HASH_SHA256
>>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
>>         HASHER:HASH_SHA384
>>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
>>         HASHER:HASH_SHA512
>>     PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
>>         HASHER:HASH_MD5
>>     PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
>>     PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
>>         RNG:RNG_WEAK
>> cmac:
>>     PRF:PRF_AES128_CMAC
>>         CRYPTER:AES_CBC-16
>>     SIGNER:AES_CMAC_96
>>         CRYPTER:AES_CBC-16
>> hmac:
>>     PRF:PRF_HMAC_SHA1
>>         HASHER:HASH_SHA1
>>     PRF:PRF_HMAC_MD5
>>         HASHER:HASH_MD5
>>     PRF:PRF_HMAC_SHA2_256
>>         HASHER:HASH_SHA256
>>     PRF:PRF_HMAC_SHA2_384
>>         HASHER:HASH_SHA384
>>     PRF:PRF_HMAC_SHA2_512
>>         HASHER:HASH_SHA512
>>     SIGNER:HMAC_SHA1_96
>>         HASHER:HASH_SHA1
>>     SIGNER:HMAC_SHA1_128
>>         HASHER:HASH_SHA1
>>     SIGNER:HMAC_SHA1_160
>>         HASHER:HASH_SHA1
>>     SIGNER:HMAC_MD5_96
>>         HASHER:HASH_MD5
>>     SIGNER:HMAC_MD5_128
>>         HASHER:HASH_MD5
>>     SIGNER:HMAC_SHA2_256_128
>>         HASHER:HASH_SHA256
>>     SIGNER:HMAC_SHA2_256_256
>>         HASHER:HASH_SHA256
>>     SIGNER:HMAC_SHA2_384_192
>>         HASHER:HASH_SHA384
>>     SIGNER:HMAC_SHA2_384_384
>>         HASHER:HASH_SHA384
>>     SIGNER:HMAC_SHA2_512_256
>>         HASHER:HASH_SHA512
>>     SIGNER:HMAC_SHA2_512_512
>>         HASHER:HASH_SHA512
>> attr:
>>     CUSTOM:attr
>> kernel-libipsec:
>>     CUSTOM:kernel-ipsec
>>     CUSTOM:kernel-libipsec-router
>>         CUSTOM:libcharon-receiver
>> kernel-netlink:
>>     CUSTOM:kernel-ipsec
>>     CUSTOM:kernel-net
>> resolve:
>>     CUSTOM:resolve
>> socket-default:
>>     CUSTOM:socket
>>         CUSTOM:kernel-ipsec (soft)
>> stroke:
>>     CUSTOM:stroke
>>         PRIVKEY:RSA (soft)
>>         PRIVKEY:ECDSA (soft)
>>         PRIVKEY:DSA (soft)
>>         CERT_DECODE:ANY (soft)
>>         CERT_DECODE:X509 (soft)
>>         CERT_DECODE:X509_CRL (soft)
>>         CERT_DECODE:X509_AC (soft)
>>         CERT_DECODE:TRUSTED_PUBKEY (soft)
>> updown:
>>     CUSTOM:updown
>> eap-identity:
>>     EAP_SERVER:ID
>>     EAP_CLIENT:ID
>> eap-md5:
>>     EAP_SERVER:MD5
>>         HASHER:HASH_MD5
>>         RNG:RNG_WEAK
>>     EAP_CLIENT:MD5
>>         HASHER:HASH_MD5
>>         RNG:RNG_WEAK
>> xauth-generic:
>>     XAUTH_SERVER:generic
>>     XAUTH_CLIENT:generic
>> xauth-eap:
>>     XAUTH_SERVER:eap
>>
>> # cat /etc/ipsec.conf
>> # ipsec.conf - strongSwan IPsec configuration file
>> config setup
>>         charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl
>> 1 dmn 1"
>>
>> conn home
>>      left=10.x.x.x
>>      leftid=0005B94234BD at picasso.com
>>      leftauth=eap-md5
>>      rightauth=psk
>>      leftsourceip=%config
>>      leftfirewall=yes
>>      ike=3des-sha1-prfsha1-modp1024!
>>      esp=aes128-sha1!
>>      right=10.x.x.x
>>      rightsubnet=0.0.0.0/0
>>      rightid=%any
>>      auto=add
>>      mobike=no
>>      dpddelay=200s
>>      dpdaction=clear
>>      rekey=yes
>>      ikelifetime=86400
>>      lifetime=36000
>>      reauth=no
>>      rekeymargin=3m
>>      keyingtries=1
>>      keyexchange=ikev2
>>
>>  cat /etc/strongswan.conf
>> # strongswan.conf - strongSwan configuration file
>>
>> charon {
>>
>>         # number of worker threads in charon
>>         threads = 16
>>
>>         close_ike_on_child_failure = yes
>>         retransmit_tries = 20
>>         retransmit_timeout = 20
>>         retransmit_base = 1
>>
>>         keep_alive = 20s
>>         # send strongswan vendor ID?
>>         # send_vendor_id = yes
>>
>>         plugins {
>>
>>                 sql {
>>                         # loglevel to log into sql database
>>                         loglevel = -1
>>                         # URI to the database
>>                         # database = sqlite:///path/to/file.db
>>                         # database = mysql://user:password@localhost
>> /database
>>                 }
>>                 resolve{
>>                        file = /etc/resolvtunnel.conf
>>                 }
>>                 kernel-netlink {
>>                       fwmark = !0x42
>>                 }
>>                 socket-default {
>>                       fwmark = 0x42
>>                 }
>>                 kernel-libipsec {
>>                       allow_peer_ts = yes
>>                 }
>>         }
>>
>>
>> Let me know if this is an existing issue.. Please let me know if any
>> further information is required.
>>
>> Regards,
>> Sriram.
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150522/20f587a9/attachment-0001.html>


More information about the Users mailing list