[strongSwan] Data transfer stops
Tobias Brunner
tobias at strongswan.org
Tue Aug 22 11:18:24 CEST 2017
Hi Yuri,
> I got very high rekey rate because of low values of lifepackets and
> marginpackets parameters.
I see, you didn't point that out before.
> I changed these parameters to
>
> lifepackets=65535
> marginpackets=6500
>
> and decrease the rekey rate.
Not enough, the CHILD_SAs are still constantly rekeyed (just search for
"creating rekey job for CHILD_SA..." in the log), preventing the IKE_SA
from getting reauthenticated ("unable to reauthenticate...delaying for
..."). Is there a reason you set this limit so low? (When you
apparently have that much traffic on these SAs.)
Packet counts are not logged when deleting SAs, but transmitted bytes,
which are about 2 MiB from responder to initiator and 70-80 MiB from
initiator to responder for each rekeyed SA, the latter results in
packets around your packet limit. To avoid constant rekeyings you'll
have to increase the packet limit, depending on your setup (link speed,
MTU, algorithms etc.).
Just as an example, let's assume a link with e.g. 100 MiB/s throughput
via IPsec and an MTU of 1500 bytes. Let's further assume IPsec in
tunnel mode with AES/SHA-256 without UDP-encap (allowing at most 1438
bytes of data to be transported per packet), and that SAs should be used
for at least 60s and get rekeyed at least 10s before they expire, so
with rekeyfuzz=100% we double that margin and let the SA expire at 80s
and rekeying will start between 10-20s before that (see [1] for details):
104857600 / 1438 = 72919 packets/s
72919 * 10 = 729190 (=marginpackets)
72919 * 80 = 5833520 (=lifepackets)
That's all very rough but should give you an idea.
> I could agree with your argument about wrong timings in my systems, but
> how to explain fact that old version of Strongswan (5.3) works normally
> with my set-up?
I already explained the differences in my second email in this thread.
> My kernel is not so ancient - it corresponds version
> 3.10 (or something like), 2.6.54 - it is RHEL notation.
I see.
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#ipsecconf-Formula
More information about the Users
mailing list