[strongSwan] How many concurrent connections can charon handle reliably?

[Dr. Rolf Jansen]

I am not 100 % sure yet, however the impression is, not more than 1.

FreeBSD 13.1-RELEASE
strongSwan 5.9.6

As soon as there are more than 1 connections having different virtual peer addresses connected to the same local address, the system suffers connection losses. From charon's point of view, the connections are still open, and there is nothing different with the SA’s and the SP’s, only the packet flow just stops.

This happens with IKEv1 in transport mode (for L2TP/IPsec) and with IKEv2 in tunnel mode.

When pinging continuously a respective peer from either side, the ping stalls after 5 to 25 min. First I saw this with more than one IKEv2 tunnel. Only yesterday, I established a  L2TP/IPsec connection to the same VPN server, while 2 IKEv2 tunnels were open. It started to work well as usual, only that the packet flow just stopped without further notice. The L2TP client dropped the connection after 27 min, but IPsec was already squeezed to no flow then for about 2 min.

Below are excerpts of ipsec.conf on the server side. The client sides are symmetrically similar.

Any ideas?

Best regards

Rolf 

conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport

   leftauth = psk
   left = %defaultroute
   leftprotoport=17/1701

   rightauth = psk
   right = %any
   rightprotoport=17/%any

   auto = add


conn IKEv2-1-PSK
   keyexchange = ikev2
   mobike = no

   leftauth = psk
   leftid = example1 at example.com
   leftsubnet = 10.u.v.0/24

   rightauth = psk
   rightid = example1 at example.com
   right = %any
   rightsubnet = 10.x.y.0/24

   auto = add

conn IKEv2-2-PSK
   ...

conn IKEv2-3-PSK
   ...

etc.