[strongSwan] Fwd: Encryption/Decryption with Libipsec - Memory leak issue with charon
Sriram
sriram.ec at gmail.com
Fri May 22 11:18:54 CEST 2015
Thanks Miroslav. I did that.
Regards,
Sriram
On Fri, May 22, 2015 at 2:38 PM, Miroslav Svoboda <goodmirek at goodmirek.cz>
wrote:
> I suppose you may want to create a new bug report for this issue.
> You can do it here:
> https://wiki.strongswan.org/projects/strongswan/issues/new
> You would need to create an account, unless you already had one.
>
> Miroslav
>
> On Friday, May 22, 2015 at 8:44:44 AM UTC+2, Sriram wrote:
>>
>>
>> ---------- Forwarded message ----------
>> From: Sriram <sriram.ec at gmail.com>
>> Date: Fri, May 22, 2015 at 8:47 AM
>> Subject: [strongSwan] Encryption/Decryption with Libipsec - issue.
>> To: users at lists.strongswan.org
>>
>>
>> Hi,
>>
>> I m using strongswan-5.3.0 for tunnel establishment. In that I m trying
>> out libipsec which does userspace encryption/decryption.
>>
>> In our lab I tested a scenario where I sent,
>>
>> 1. 20Mbps uplink traffic from the device where libipsec is running, to a
>> remote server.
>> 2. 80Mbps downlink traffic from the remote server to the device where
>> libipsec is running.
>>
>> These two traffics are sent simultaneously using iperf tool.
>> I see that charon's memory usage gradually shoots up, it goes upto 630MB
>> before the device crashes with out of memory.
>>
>> Attaching the ipsec configuration at the device for the reference,
>> # ipsec stautusall
>> Status of IKE charon daemon (strongSwan 5.3.0, Linux
>> 3.10.49-perf-g9578e9c-dirty, armv7l):
>> uptime: 3 hours, since May 21 12:39:32 2015
>> malloc: sbrk 262144, mmap 0, used 124296, free 137848
>> worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
>> scheduled: 5
>> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg
>> fips-prf gmp cmac hmac attr kernel-libipsec kernel-netlink resolve
>> socket-default stroke updown eap-identity eap-md5 xauth-generic xauth-eap
>> Listening IP addresses:
>> 10.206.1.195
>> 192.168.16.1
>> 192.168.17.1
>> 192.168.18.1
>> 192.168.19.1
>> 192.168.20.1
>> 192.168.21.1
>> 192.168.22.1
>> Connections:
>> home: 10.x.x.x....10.x.x.x IKEv2, dpddelay=200s
>> home: local: [0005B94234BD at picasso.com] uses EAP_MD5
>> authentication
>> home: remote: uses pre-shared key authentication
>> home: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
>> Security Associations (1 up, 0 connecting):
>> home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[
>> 0005B94234BD at picasso.com]...10.x.x..x[a at airvana.com]
>> home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r,
>> rekeying in 20 hours
>> home[1]: IKE proposal:
>> 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> home{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i
>> 000a238e_o
>> home{1}: AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181
>> pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6
>> hours
>> home{1}: 10.220.10.116/32 === 0.0.0.0/0
>> # ipsec listall
>>
>> List of registered IKE algorithms:
>>
>> encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des]
>> TWOFISH_CBC[af-alg]
>> integrity: HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac]
>> HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]
>> HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac]
>> HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]
>> HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac]
>> HMAC_SHA2_512_512[hmac]
>> aead:
>> hasher: HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2]
>> HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]
>> prf: PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac]
>> PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
>> PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac]
>> PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]
>> dh-group: MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp]
>> MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]
>> MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp]
>> MODP_2048_256[gmp] MODP_CUSTOM[gmp]
>> random-gen: RNG_STRONG[random] RNG_TRUE[random]
>> nonce-gen: [nonce]
>>
>> List of loaded Plugins:
>>
>> charon:
>> CUSTOM:libcharon
>> NONCE_GEN
>> CUSTOM:libcharon-receiver
>> CUSTOM:kernel-ipsec
>> CUSTOM:kernel-net
>> CUSTOM:libcharon-receiver
>> HASHER:HASH_SHA1
>> RNG:RNG_STRONG
>> CUSTOM:socket
>> aes:
>> CRYPTER:AES_CBC-16
>> CRYPTER:AES_CBC-24
>> CRYPTER:AES_CBC-32
>> des:
>> CRYPTER:3DES_CBC-24
>> CRYPTER:DES_CBC-8
>> CRYPTER:DES_ECB-8
>> sha1:
>> HASHER:HASH_SHA1
>> PRF:PRF_KEYED_SHA1
>> sha2:
>> HASHER:HASH_SHA224
>> HASHER:HASH_SHA256
>> HASHER:HASH_SHA384
>> HASHER:HASH_SHA512
>> md5:
>> HASHER:HASH_MD5
>> random:
>> RNG:RNG_STRONG
>> RNG:RNG_TRUE
>> nonce:
>> NONCE_GEN
>> RNG:RNG_WEAK
>> x509:
>> CERT_ENCODE:X509
>> HASHER:HASH_SHA1
>> CERT_DECODE:X509
>> HASHER:HASH_SHA1
>> PUBKEY:RSA (soft)
>> PUBKEY:ECDSA (soft)
>> PUBKEY:DSA (soft)
>> CERT_ENCODE:X509_AC
>> CERT_DECODE:X509_AC
>> CERT_ENCODE:X509_CRL
>> CERT_DECODE:X509_CRL
>> CERT_ENCODE:X509_OCSP_REQUEST
>> HASHER:HASH_SHA1
>> RNG:RNG_WEAK
>> CERT_DECODE:X509_OCSP_RESPONSE
>> CERT_ENCODE:PKCS10_REQUEST
>> CERT_DECODE:PKCS10_REQUEST
>> revocation:
>> CUSTOM:revocation
>> CERT_ENCODE:X509_OCSP_REQUEST (soft)
>> CERT_DECODE:X509_OCSP_RESPONSE (soft)
>> CERT_DECODE:X509_CRL (soft)
>> CERT_DECODE:X509 (soft)
>> FETCHER:(null) (soft)
>> constraints:
>> CUSTOM:constraints
>> CERT_DECODE:X509 (soft)
>> pubkey:
>> CERT_ENCODE:TRUSTED_PUBKEY
>> CERT_DECODE:TRUSTED_PUBKEY
>> PUBKEY:RSA (soft)
>> PUBKEY:ECDSA (soft)
>> PUBKEY:DSA (soft)
>> pkcs1:
>> PRIVKEY:RSA
>> PUBKEY:ANY
>> PUBKEY:RSA
>> pkcs7:
>> CONTAINER_DECODE:PKCS7
>> CONTAINER_ENCODE:PKCS7_DATA
>> CONTAINER_ENCODE:PKCS7_SIGNED_DATA
>> CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA
>> pkcs8:
>> PRIVKEY:ANY
>> PRIVKEY:RSA
>> PRIVKEY:ECDSA
>> pgp:
>> PRIVKEY:ANY
>> PRIVKEY:RSA
>> PUBKEY:ANY
>> PUBKEY:RSA
>> CERT_DECODE:PGP
>> dnskey:
>> PUBKEY:ANY
>> PUBKEY:RSA
>> pem:
>> PRIVKEY:ANY
>> PRIVKEY:ANY
>> HASHER:HASH_MD5 (soft)
>> PRIVKEY:RSA
>> PRIVKEY:RSA
>> HASHER:HASH_MD5 (soft)
>> PRIVKEY:ECDSA
>> PRIVKEY:ECDSA
>> HASHER:HASH_MD5 (soft)
>> PRIVKEY:DSA (not loaded)
>> PRIVKEY:DSA
>> HASHER:HASH_MD5 (soft)
>> PUBKEY:ANY
>> PUBKEY:ANY
>> PUBKEY:RSA
>> PUBKEY:RSA
>> PUBKEY:ECDSA (not loaded)
>> PUBKEY:ECDSA
>> PUBKEY:DSA (not loaded)
>> PUBKEY:DSA
>> CERT_DECODE:ANY
>> CERT_DECODE:X509 (soft)
>> CERT_DECODE:PGP (soft)
>> CERT_DECODE:X509
>> CERT_DECODE:X509
>> CERT_DECODE:X509_CRL
>> CERT_DECODE:X509_CRL
>> CERT_DECODE:X509_OCSP_REQUEST (not loaded)
>> CERT_DECODE:X509_OCSP_REQUEST
>> CERT_DECODE:X509_OCSP_RESPONSE
>> CERT_DECODE:X509_OCSP_RESPONSE
>> CERT_DECODE:X509_AC
>> CERT_DECODE:X509_AC
>> CERT_DECODE:PKCS10_REQUEST
>> CERT_DECODE:PKCS10_REQUEST
>> CERT_DECODE:TRUSTED_PUBKEY
>> CERT_DECODE:TRUSTED_PUBKEY
>> CERT_DECODE:PGP
>> CERT_DECODE:PGP
>> CONTAINER_DECODE:PKCS12 (not loaded)
>> CONTAINER_DECODE:PKCS12
>> af-alg:
>> CRYPTER:DES_CBC-8
>> CRYPTER:DES_ECB-8
>> CRYPTER:3DES_CBC-24
>> CRYPTER:AES_CBC-16
>> CRYPTER:AES_CBC-24
>> CRYPTER:AES_CBC-32
>> CRYPTER:TWOFISH_CBC-16
>> CRYPTER:TWOFISH_CBC-24
>> CRYPTER:TWOFISH_CBC-32
>> fips-prf:
>> PRF:PRF_FIPS_SHA1_160
>> PRF:PRF_KEYED_SHA1
>> gmp:
>> DH:MODP_2048
>> RNG:RNG_STRONG
>> DH:MODP_2048_224
>> RNG:RNG_STRONG
>> DH:MODP_2048_256
>> RNG:RNG_STRONG
>> DH:MODP_1536
>> RNG:RNG_STRONG
>> DH:MODP_3072
>> RNG:RNG_STRONG
>> DH:MODP_4096
>> RNG:RNG_STRONG
>> DH:MODP_6144
>> RNG:RNG_STRONG
>> DH:MODP_8192
>> RNG:RNG_STRONG
>> DH:MODP_1024
>> RNG:RNG_STRONG
>> DH:MODP_1024_160
>> RNG:RNG_STRONG
>> DH:MODP_768
>> RNG:RNG_STRONG
>> DH:MODP_CUSTOM
>> RNG:RNG_STRONG
>> PRIVKEY:RSA
>> PRIVKEY_GEN:RSA
>> RNG:RNG_TRUE
>> PUBKEY:RSA
>> PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
>> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
>> HASHER:HASH_SHA1
>> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
>> HASHER:HASH_SHA224
>> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
>> HASHER:HASH_SHA256
>> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
>> HASHER:HASH_SHA384
>> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
>> HASHER:HASH_SHA512
>> PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
>> HASHER:HASH_MD5
>> PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
>> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
>> HASHER:HASH_SHA1
>> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
>> HASHER:HASH_SHA224
>> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
>> HASHER:HASH_SHA256
>> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
>> HASHER:HASH_SHA384
>> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
>> HASHER:HASH_SHA512
>> PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
>> HASHER:HASH_MD5
>> PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
>> PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
>> RNG:RNG_WEAK
>> cmac:
>> PRF:PRF_AES128_CMAC
>> CRYPTER:AES_CBC-16
>> SIGNER:AES_CMAC_96
>> CRYPTER:AES_CBC-16
>> hmac:
>> PRF:PRF_HMAC_SHA1
>> HASHER:HASH_SHA1
>> PRF:PRF_HMAC_MD5
>> HASHER:HASH_MD5
>> PRF:PRF_HMAC_SHA2_256
>> HASHER:HASH_SHA256
>> PRF:PRF_HMAC_SHA2_384
>> HASHER:HASH_SHA384
>> PRF:PRF_HMAC_SHA2_512
>> HASHER:HASH_SHA512
>> SIGNER:HMAC_SHA1_96
>> HASHER:HASH_SHA1
>> SIGNER:HMAC_SHA1_128
>> HASHER:HASH_SHA1
>> SIGNER:HMAC_SHA1_160
>> HASHER:HASH_SHA1
>> SIGNER:HMAC_MD5_96
>> HASHER:HASH_MD5
>> SIGNER:HMAC_MD5_128
>> HASHER:HASH_MD5
>> SIGNER:HMAC_SHA2_256_128
>> HASHER:HASH_SHA256
>> SIGNER:HMAC_SHA2_256_256
>> HASHER:HASH_SHA256
>> SIGNER:HMAC_SHA2_384_192
>> HASHER:HASH_SHA384
>> SIGNER:HMAC_SHA2_384_384
>> HASHER:HASH_SHA384
>> SIGNER:HMAC_SHA2_512_256
>> HASHER:HASH_SHA512
>> SIGNER:HMAC_SHA2_512_512
>> HASHER:HASH_SHA512
>> attr:
>> CUSTOM:attr
>> kernel-libipsec:
>> CUSTOM:kernel-ipsec
>> CUSTOM:kernel-libipsec-router
>> CUSTOM:libcharon-receiver
>> kernel-netlink:
>> CUSTOM:kernel-ipsec
>> CUSTOM:kernel-net
>> resolve:
>> CUSTOM:resolve
>> socket-default:
>> CUSTOM:socket
>> CUSTOM:kernel-ipsec (soft)
>> stroke:
>> CUSTOM:stroke
>> PRIVKEY:RSA (soft)
>> PRIVKEY:ECDSA (soft)
>> PRIVKEY:DSA (soft)
>> CERT_DECODE:ANY (soft)
>> CERT_DECODE:X509 (soft)
>> CERT_DECODE:X509_CRL (soft)
>> CERT_DECODE:X509_AC (soft)
>> CERT_DECODE:TRUSTED_PUBKEY (soft)
>> updown:
>> CUSTOM:updown
>> eap-identity:
>> EAP_SERVER:ID
>> EAP_CLIENT:ID
>> eap-md5:
>> EAP_SERVER:MD5
>> HASHER:HASH_MD5
>> RNG:RNG_WEAK
>> EAP_CLIENT:MD5
>> HASHER:HASH_MD5
>> RNG:RNG_WEAK
>> xauth-generic:
>> XAUTH_SERVER:generic
>> XAUTH_CLIENT:generic
>> xauth-eap:
>> XAUTH_SERVER:eap
>>
>> # cat /etc/ipsec.conf
>> # ipsec.conf - strongSwan IPsec configuration file
>> config setup
>> charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl
>> 1 dmn 1"
>>
>> conn home
>> left=10.x.x.x
>> leftid=0005B94234BD at picasso.com
>> leftauth=eap-md5
>> rightauth=psk
>> leftsourceip=%config
>> leftfirewall=yes
>> ike=3des-sha1-prfsha1-modp1024!
>> esp=aes128-sha1!
>> right=10.x.x.x
>> rightsubnet=0.0.0.0/0
>> rightid=%any
>> auto=add
>> mobike=no
>> dpddelay=200s
>> dpdaction=clear
>> rekey=yes
>> ikelifetime=86400
>> lifetime=36000
>> reauth=no
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>>
>> cat /etc/strongswan.conf
>> # strongswan.conf - strongSwan configuration file
>>
>> charon {
>>
>> # number of worker threads in charon
>> threads = 16
>>
>> close_ike_on_child_failure = yes
>> retransmit_tries = 20
>> retransmit_timeout = 20
>> retransmit_base = 1
>>
>> keep_alive = 20s
>> # send strongswan vendor ID?
>> # send_vendor_id = yes
>>
>> plugins {
>>
>> sql {
>> # loglevel to log into sql database
>> loglevel = -1
>> # URI to the database
>> # database = sqlite:///path/to/file.db
>> # database = mysql://user:password@localhost
>> /database
>> }
>> resolve{
>> file = /etc/resolvtunnel.conf
>> }
>> kernel-netlink {
>> fwmark = !0x42
>> }
>> socket-default {
>> fwmark = 0x42
>> }
>> kernel-libipsec {
>> allow_peer_ts = yes
>> }
>> }
>>
>>
>> Let me know if this is an existing issue.. Please let me know if any
>> further information is required.
>>
>> Regards,
>> Sriram.
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150522/20f587a9/attachment-0001.html>
More information about the Users
mailing list