[strongSwan] Multiple SAs after rekey with traffic.

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Wed May 25 21:35:08 CEST 2022 

Hi

1. why have you changed/set the "rekeyfuzz=0%" - i suggest that you should
NOT change any of the "default/pre-defined" settings that are used in the
Expry-Rekeying formulae such as "rekeyfuzz" which i believe is 100% as
default value.....

2. so except for "margintime" (which is correctly set to 1m in your case
becos you have reduces lifetimes for both ChildSA and also the IKE-SAs),
dont change any of the default settings...especially in the
"../strongswan.d/charon.conf" file....keep them as is...

3. Since you are using IKEv2.....please use the option
"reauth=no"....strongly suggested for all IKEv2 based tunnels



regards
Rajiv






On Wed, May 18, 2022 at 6:53 PM Makarand Pradhan <MakarandPradhan at is5com.com>
wrote:

> GM All,
>
> A quick update on the issue.
>
> I upgraded to 5.9.6 and things have improved a lot. The issue has not been
> resolved completely but charon is now not hogging the CPU as much.
>
> After a 24 hour traffic run, I still see multiple IKE and IPSec SAs
> created. All the same, not as many as I was noticing in 5.9.5.
>
> I started with 50 SAs. Now after 24 hours, I have 146.
>
> Routed Connections:
>      policy2{6}:  ROUTED, TUNNEL, reqid 2
>      policy2{6}:   10.10.102.0/24 === 192.168.102.0/24
> Security Associations (146 up, 0 connecting):
>
> Traffic is flowing, but CPU usage is way up.
>
> Would highly appreciate if anyone can suggest if I have missed a config in
> charon.conf. Have tried but am not seeing any improvement.
>
> Hoping to hear comments/suggestions on the issue.
>
> Thanks and Regards,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
>
> -----Original Message-----
> From: Users <users-bounces at lists.strongswan.org> On Behalf Of Makarand
> Pradhan
> Sent: May 16, 2022 11:37 AM
> To: Users at lists.strongswan.org
> Subject: [strongSwan] Multiple SAs after rekey with traffic.
>
> Good morning All,
>
> I am facing an issue where the number of SAs keep on going up and then
> charon starts hogging the CPU. Will highly appreciate if anyone comment if
> I have misconfigured some parameter or if this is a known issue? Details
> below:
>
> We are running Strongswan 5.9.5 on ppc64, Linux kernel 4.1.35.
>
> It is noted that after a rekey timeout, a new SA is
> created(ESTABLISHED/INSTALLED). This happens only with traffic. Over a
> period of time, the number of SAs keep on increasing and then charon hogs
> the CPU.
>
> Please find below the ipsec.conf that is being used and a log of my
> session showing the increasing number of SAs.
>
> ipsec.conf
>
> sh-4.3# cat /usr/local/etc/ipsec.conf
> config setup
>         charondebug=@all@
>         cachecrls=yes
>         uniqueids=yes
>         strictcrlpolicy=no
>
> #####IS5#####
> conn policy1
>         type=tunnel
>         authby=secret
>         auto=route
>         keyexchange=ikev2
>         ike=aes256-sha512-modp1536!
>         aggressive=no
>         ikelifetime=40m
>         esp=aes256-sha256-modp2048!
>         lifetime=20m
>         right=172.16.100.101
>         rightid=172.16.100.101
>         rightsubnet=10.10.101.0/24
>         left=172.16.100.1
>         leftid=172.16.100.1
>         leftsubnet=192.168.101.0/24
>         dpddelay=60s
>         mobike=no
>         dpdaction=clear
>         margintime=1m
>         rekeyfuzz=0%
>         leftcert=
>
>
> e.g. Tunnel is set up:
>
> sh-4.3# date
> Mon May 16 09:15:33 UTC 2022
> sh-4.3# ipsec status policy1
> Routed Connections:
>      policy1{1}:  ROUTED, TUNNEL, reqid 1
>      policy1{1}:   192.168.101.0/24 === 10.10.101.0/24
> Security Associations (1 up, 0 connecting):
>      policy1[1]: ESTABLISHED 22 seconds ago,
> 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101]
>      policy1{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4ee192d_i
> c18d1d43_o
>      policy1{2}:   192.168.101.0/24 === 10.10.101.0/24
>
> After some time:
>
>
> sh-4.3# ipsec statusall policy1
> Status of IKE charon daemon (weakSwan 5.9.5, Linux 4.1.35-rt41, ppc64):
>   uptime: 77 minutes, since May 16 09:15:14 2022
>   malloc: sbrk 2400256, mmap 0, used 354336, free 2045920
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 6
>   loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr
> kernel-netlink resolve socket-default farp stroke vici updown xauth-generic
> counters Listening IP addresses:
>   10.10.5.1
>   192.168.101.11
>   192.168.10.1
>   192.168.50.2
>   172.16.100.1
> Connections:
>      policy1:  172.16.100.1...172.16.100.101  IKEv2, dpddelay=60s
>      policy1:   local:  [172.16.100.1] uses pre-shared key authentication
>      policy1:   remote: [172.16.100.101] uses pre-shared key authentication
>      policy1:   child:  192.168.101.0/24 === 10.10.101.0/24 TUNNEL,
> dpdaction=clear
> Routed Connections:
>      policy1{1}:  ROUTED, TUNNEL, reqid 1
>      policy1{1}:   192.168.101.0/24 === 10.10.101.0/24
> Security Associations (2 up, 0 connecting):
>      policy1[2]: ESTABLISHED 38 minutes ago,
> 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101]
>      policy1[2]: IKEv2 SPIs: 518b7019c5d03118_i* 74fe5d2949eaed95_r,
> pre-shared key reauthentication in 17 seconds
>      policy1[2]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
>      policy1{13}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c9bab39c_i
> ca96f84a_o
>      policy1{13}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0
> bytes_o, rekeying in 18 minutes
>      policy1{13}:   192.168.101.0/24 === 10.10.101.0/24
>      policy1[3]: ESTABLISHED 38 minutes ago,
> 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101]
>      policy1[3]: IKEv2 SPIs: 005c2ec500a6a55d_i c00aead9fa60759a_r*,
> pre-shared key reauthentication in 17 seconds
>      policy1[3]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
>      policy1{12}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c5fabaf0_i
> c5dad3ed_o
>      policy1{12}:  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0
> bytes_o, rekeying in 18 minutes
>      policy1{12}:   192.168.101.0/24 === 10.10.101.0/24
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
>
>
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may
> contain information that is confidential and/or exempt from disclosure
> under applicable law. Any dissemination or copying of this message by
> anyone other than a named recipient is strictly prohibited. If you are not
> a named recipient or an employee or agent responsible for delivering this
> message to a named recipient, please notify us immediately, and permanently
> destroy this message and any copies you may have. Warning: Email may not be
> secure unless properly encrypted.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220526/f1612cd0/attachment.html>

More information about the Users mailing list