[strongSwan] How many concurrent connections can charon handle reliably?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Aug 22 19:31:13 CEST 2022 

Hi Rolf,

The data packets are processed by the kernel, so it's entirely a problem with either your kernel, the client, or related to the network.
I propose you investigate in detail and create some logs and so on.
The configs tell basically nothing relevant about what happens in your real life scenario.

Kind regards
Noel

On 22.08.22 16:19, Dr. Rolf Jansen wrote:
> I am not 100 % sure yet, however the impression is, not more than 1.
> 
> FreeBSD 13.1-RELEASE
> strongSwan 5.9.6
> 
> As soon as there are more than 1 connections having different virtual peer addresses connected to the same local address, the system suffers connection losses. From charon's point of view, the connections are still open, and there is nothing different with the SA’s and the SP’s, only the packet flow just stops.
> 
> This happens with IKEv1 in transport mode (for L2TP/IPsec) and with IKEv2 in tunnel mode.
> 
> When pinging continuously a respective peer from either side, the ping stalls after 5 to 25 min. First I saw this with more than one IKEv2 tunnel. Only yesterday, I established a  L2TP/IPsec connection to the same VPN server, while 2 IKEv2 tunnels were open. It started to work well as usual, only that the packet flow just stopped without further notice. The L2TP client dropped the connection after 27 min, but IPsec was already squeezed to no flow then for about 2 min.
> 
> Below are excerpts of ipsec.conf on the server side. The client sides are symmetrically similar.
> 
> Any ideas?
> 
> Best regards
> 
> Rolf
> 
> conn L2TP/IPsec-PSK
>     keyexchange = ikev1
>     type = transport
> 
>     leftauth = psk
>     left = %defaultroute
>     leftprotoport=17/1701
> 
>     rightauth = psk
>     right = %any
>     rightprotoport=17/%any
> 
>     auto = add
> 
> 
> conn IKEv2-1-PSK
>     keyexchange = ikev2
>     mobike = no
> 
>     leftauth = psk
>     leftid = example1 at example.com
>     leftsubnet = 10.u.v.0/24
> 
>     rightauth = psk
>     rightid = example1 at example.com
>     right = %any
>     rightsubnet = 10.x.y.0/24
> 
>     auto = add
> 
> conn IKEv2-2-PSK
>     ...
> 
> conn IKEv2-3-PSK
>     ...
> 
> etc.

More information about the Users mailing list