[strongSwan] Simultaneous IKE SA establishment

divya mohan m.divya.mohan at zoho.com
Wed Sep 30 13:59:06 CEST 2015


Hi,

I am using strongswan (charon) as server (roadwarrior) and client on two nodes.

Following is the strongswan.conf of server:

charon {
block_threshold=50
cookie_threshold=100
reuse_ikesa=no
}

For clients:

charon {
retransmit_tries=3
dos_protection=no
}


The requirement is that one server should accept simultaneous
connections requests from 300 different clients, within three and a
half minutes.
I am occasionally facing this issue that a few of the clients does not
establish IKE_SA successfully.

Most of the times, around 270 or 280 clients connect simultaneously.
I can see logs like below for the failed cases:

CLIENT    charon: 13[IKE] retransmit 3 of request with message ID 1
SERVER charon: 10[IKE] integrity check failed
SERVER charon: 10[IKE] IKE_AUTH request with message ID 1 processing failed
SERVER charon: 10[JOB] deleting half open IKE_SA after timeout
SERVER  charon: 11[JOB] deleting half open IKE_SA after timeout

CLIENT charon: 09[IKE] giving up after 3 retransmits
CLIENT charon: 09[IKE] peer not responding, trying again (2/3)
CLIENT charon: 07[IKE] giving up after 3 retransmits
CLIENT charon: 07[IKE] peer not responding, trying again (2/3)

Sometimes, all 300 clients connect properly.

Since cookie_threshold is 100, I am expecting that 100 clients would
connect in the first attempt, 100 in the second re-transmit and 100 in
the 3rd re-transmit.
Are there any other configuration parameters that could be fine tuned
to achieve this?

- Divya


More information about the Users mailing list