[strongSwan] Charon crashes after trying to initiate 990+ IKE SAs
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 18 10:37:29 CET 2020
Hi,
Please provide all information as shown on the HelpRequests[1] page, as well as the stacktrace.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 18.11.20 um 10:01 schrieb Liam Schönberg:
> Hi,
>
> I'm encountering the situation where Charon crashes after trying to initiate 990+ IKE SAs. What we're trying to do here is a stress test against our VPN server.
>
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: 13[IKE] IKE_SA CONN00988[988] established between 100.84.217.47[INIT00988]...1.2.3.4[1.2.3.4]
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 13[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 13[NET] sending packet: from 100.84.217.47[10988] to 1.2.3.4[4500] (108 bytes)
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 13[ENC] generating QUICK_MODE request 4075658581 [ HASH SA No KE ID ID ]
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 13[NET] sending packet: from 100.84.217.47[10988] to 1.2.3.4[4500] (316 bytes)
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 05[IKE] initiating Aggressive Mode IKE_SA CONN00997[997] to 1.2.3.4
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 05[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 05[NET] sending packet: from 100.84.217.47[10997] to 1.2.3.4[4500] (367 bytes)
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 06[CFG] received stroke: add connection 'CONN00998'
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 06[CFG] added configuration 'CONN00998'
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: 13[IK*** buffer overflow detected ***: /usr/lib/ipsec/charon terminated
>> Nov 17 21:54:24 ip-100-84-217-47 charon: 10[CFG] received stroke: initiate '10_akei00998'
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: reading stroke response failed
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
>> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: charon has died -- restart scheduled (5sec)
>> Nov 17 21:54:25 ip-100-84-217-47 systemd[1]: Started Session 4 of user ubuntu.
>> Nov 17 21:54:29 ip-100-84-217-47 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1029-aws, x86_64)
>
> Could anybody tell me what I should do differently, so that it can initiate up to 20,000 IKE SAs? Here's the config I'm using on the initiator side...
>
>> config setup
>> conn %default
>> right=1.2.3.4
>> ikelifetime=3600s
>> keylife=28800s
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev1
>> leftauth=psk
>> rightauth=psk
>> ike=aes128-sha1-modp1024!
>> esp=aes128-sha1-modp1024!
>> authby=secret
>> aggressive=yes
>> rightsubnet=100.110.171.0/24
>> auto=add
>> conn CONN00001
>> leftid=@INIT00001
>> leftsubnet=10.1.1.0/24
>> leftikeport=10001
>> rightikeport=4500
>
> Any suggestions or comments would be greatly appreciated.
>
> Best regards,
>
> jellybeanshiba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201118/d3d6a298/attachment.sig>
More information about the Users
mailing list