[strongSwan] Stroke self-DoS
Simon T
smith.not.western at gmail.com
Thu Nov 8 16:38:09 CET 2018
Hi,
Running the below command on a tunnel where the other endpoint isn't
responding results in an explosion of CHILD_CREATE tasks.
while true; do ipsec stroke up-nb tun; done
Leave the command running for a couple hours, ipsec statusall is full
of CHILD_CREATEs. Is there a way to prevent Strongswan from creating
new CHILD_CREATE tasks if the task already exists for the tunnel?
With tunnel config:
conn tun
ikelifetime=14400s
keylife=10800s
rekeymargin=600s
keyingtries=%forever
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp1536!
esp=aes256-sha256-modp1536!
auto=start
forceencaps=no
left=10.0.0.1
leftfirewall=no
leftid=
leftsubnet=192.168.38.0/24
rekeymargin=600s
right=1.1.1.1
rightfirewall=no
rightid=
rightsubnet=192.168.100.0/24
Regards,
Simon
More information about the Users
mailing list