[strongSwan] Charon crashes after trying to initiate 990+ IKE SAs

Wed Nov 18 10:07:17 CET 2020

Hi,

whether this question is about the same I asked in my recent message -
how vici behaves with simultaneous calls?

On 18.11.2020 11:01, Liam Schönberg wrote:
> Hi,
>
> I'm encountering the situation where Charon crashes after trying to
> initiate 990+ IKE SAs. What we're trying to do here is a stress test
> against our VPN server.
>
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: 13[IKE] IKE_SA
> CONN00988[988] established between
> 100.84.217.47[INIT00988]...1.2.3.4[1.2.3.4]
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 13[ENC] generating
> AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 13[NET] sending packet:
> from 100.84.217.47[10988] to 1.2.3.4[4500] (108 bytes)
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 13[ENC] generating
> QUICK_MODE request 4075658581 [ HASH SA No KE ID ID ]
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 13[NET] sending packet:
> from 100.84.217.47[10988] to 1.2.3.4[4500] (316 bytes)
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 05[IKE] initiating
> Aggressive Mode IKE_SA CONN00997[997] to 1.2.3.4
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 05[ENC] generating
> AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 05[NET] sending packet:
> from 100.84.217.47[10997] to 1.2.3.4[4500] (367 bytes)
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 06[CFG] received stroke:
> add connection 'CONN00998'
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 06[CFG] added configuration
> 'CONN00998'
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: 13[IK*** buffer
> overflow detected ***: /usr/lib/ipsec/charon terminated
> > Nov 17 21:54:24 ip-100-84-217-47 charon: 10[CFG] received stroke:
> initiate '10_akei00998'
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: reading stroke
> response failed
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: connecting to
> 'unix:///var/run/charon.ctl' failed: Connection refused
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: failed to connect to
> stroke socket 'unix:///var/run/charon.ctl'
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: connecting to
> 'unix:///var/run/charon.ctl' failed: Connection refused
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: failed to connect to
> stroke socket 'unix:///var/run/charon.ctl'
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: connecting to
> 'unix:///var/run/charon.ctl' failed: Connection refused
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: failed to connect to
> stroke socket 'unix:///var/run/charon.ctl'
> > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: charon has died --
> restart scheduled (5sec)
> > Nov 17 21:54:25 ip-100-84-217-47 systemd[1]: Started Session 4 of
> user ubuntu.
> > Nov 17 21:54:29 ip-100-84-217-47 charon: 00[DMN] Starting IKE charon
> daemon (strongSwan 5.6.2, Linux 5.4.0-1029-aws, x86_64)
>
> Could anybody tell me what I should do differently, so that it can
> initiate up to 20,000 IKE SAs? Here's the config I'm using on the
> initiator side...
>
> > config setup
> > conn %default
> >         right=1.2.3.4
> >         ikelifetime=3600s
> >         keylife=28800s
> >         rekeymargin=3m
> >         keyingtries=1
> >         keyexchange=ikev1
> >         leftauth=psk
> >         rightauth=psk
> >         ike=aes128-sha1-modp1024!
> >         esp=aes128-sha1-modp1024!
> >         authby=secret
> >         aggressive=yes
> >         rightsubnet=100.110.171.0/24
> >         auto=add
> > conn CONN00001
> >         leftid=@INIT00001
> >         leftsubnet=10.1.1.0/24
> >         leftikeport=10001
> >         rightikeport=4500
>
> Any suggestions or comments would be greatly appreciated.
>
> Best regards,
>
> jellybeanshiba

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201118/968e177e/attachment-0001.html>