[strongSwan] Simultaneous IKE SA establishment
divya mohan
m.divya.mohan at zoho.com
Wed Sep 30 13:59:06 CEST 2015
Hi,
I am using strongswan (charon) as server (roadwarrior) and client on two nodes.
Following is the strongswan.conf of server:
charon {
block_threshold=50
cookie_threshold=100
reuse_ikesa=no
}
For clients:
charon {
retransmit_tries=3
dos_protection=no
}
The requirement is that one server should accept simultaneous
connections requests from 300 different clients, within three and a
half minutes.
I am occasionally facing this issue that a few of the clients does not
establish IKE_SA successfully.
Most of the times, around 270 or 280 clients connect simultaneously.
I can see logs like below for the failed cases:
CLIENT charon: 13[IKE] retransmit 3 of request with message ID 1
SERVER charon: 10[IKE] integrity check failed
SERVER charon: 10[IKE] IKE_AUTH request with message ID 1 processing failed
SERVER charon: 10[JOB] deleting half open IKE_SA after timeout
SERVER charon: 11[JOB] deleting half open IKE_SA after timeout
CLIENT charon: 09[IKE] giving up after 3 retransmits
CLIENT charon: 09[IKE] peer not responding, trying again (2/3)
CLIENT charon: 07[IKE] giving up after 3 retransmits
CLIENT charon: 07[IKE] peer not responding, trying again (2/3)
Sometimes, all 300 clients connect properly.
Since cookie_threshold is 100, I am expecting that 100 clients would
connect in the first attempt, 100 in the second re-transmit and 100 in
the 3rd re-transmit.
Are there any other configuration parameters that could be fine tuned
to achieve this?
- Divya
More information about the Users
mailing list