[strongSwan] Multiple SAs after rekey with traffic.
Makarand Pradhan
MakarandPradhan at is5com.com
Mon May 30 15:16:21 CEST 2022
GM Rajiv,
Appreciate your suggestions. Will test for 24 hours and get back.
With regards,
Makarand.
From: Rajiv Kulkarni <rajivkulkarni69 at gmail.com>
Sent: May 25, 2022 3:35 PM
To: Makarand Pradhan <MakarandPradhan at is5com.com>
Cc: Users at lists.strongswan.org
Subject: Re: [strongSwan] Multiple SAs after rekey with traffic.
Hi
1. why have you changed/set the "rekeyfuzz=0%" - i suggest that you should NOT change any of the "default/pre-defined" settings that are used in the Expry-Rekeying formulae such as "rekeyfuzz" which i believe is 100% as default value.....
2. so except for "margintime" (which is correctly set to 1m in your case becos you have reduces lifetimes for both ChildSA and also the IKE-SAs), dont change any of the default settings...especially in the "../strongswan.d/charon.conf" file....keep them as is...
3. Since you are using IKEv2.....please use the option "reauth=no"....strongly suggested for all IKEv2 based tunnels
regards
Rajiv
On Wed, May 18, 2022 at 6:53 PM Makarand Pradhan <MakarandPradhan at is5com.com<mailto:MakarandPradhan at is5com.com>> wrote:
GM All,
A quick update on the issue.
I upgraded to 5.9.6 and things have improved a lot. The issue has not been resolved completely but charon is now not hogging the CPU as much.
After a 24 hour traffic run, I still see multiple IKE and IPSec SAs created. All the same, not as many as I was noticing in 5.9.5.
I started with 50 SAs. Now after 24 hours, I have 146.
Routed Connections:
policy2{6}: ROUTED, TUNNEL, reqid 2
policy2{6}: 10.10.102.0/24<http://10.10.102.0/24> === 192.168.102.0/24<http://192.168.102.0/24>
Security Associations (146 up, 0 connecting):
Traffic is flowing, but CPU usage is way up.
Would highly appreciate if anyone can suggest if I have missed a config in charon.conf. Have tried but am not seeing any improvement.
Hoping to hear comments/suggestions on the issue.
Thanks and Regards,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com<mailto:makarandpradhan at is5com.com>
Website: www.iS5Com.com<http://www.iS5Com.com>
-----Original Message-----
From: Users <users-bounces at lists.strongswan.org<mailto:users-bounces at lists.strongswan.org>> On Behalf Of Makarand Pradhan
Sent: May 16, 2022 11:37 AM
To: Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
Subject: [strongSwan] Multiple SAs after rekey with traffic.
Good morning All,
I am facing an issue where the number of SAs keep on going up and then charon starts hogging the CPU. Will highly appreciate if anyone comment if I have misconfigured some parameter or if this is a known issue? Details below:
We are running Strongswan 5.9.5 on ppc64, Linux kernel 4.1.35.
It is noted that after a rekey timeout, a new SA is created(ESTABLISHED/INSTALLED). This happens only with traffic. Over a period of time, the number of SAs keep on increasing and then charon hogs the CPU.
Please find below the ipsec.conf that is being used and a log of my session showing the increasing number of SAs.
ipsec.conf
sh-4.3# cat /usr/local/etc/ipsec.conf
config setup
charondebug=@all@
cachecrls=yes
uniqueids=yes
strictcrlpolicy=no
#####IS5#####
conn policy1
type=tunnel
authby=secret
auto=route
keyexchange=ikev2
ike=aes256-sha512-modp1536!
aggressive=no
ikelifetime=40m
esp=aes256-sha256-modp2048!
lifetime=20m
right=172.16.100.101
rightid=172.16.100.101
rightsubnet=10.10.101.0/24<http://10.10.101.0/24>
left=172.16.100.1
leftid=172.16.100.1
leftsubnet=192.168.101.0/24<http://192.168.101.0/24>
dpddelay=60s
mobike=no
dpdaction=clear
margintime=1m
rekeyfuzz=0%
leftcert=
e.g. Tunnel is set up:
sh-4.3# date
Mon May 16 09:15:33 UTC 2022
sh-4.3# ipsec status policy1
Routed Connections:
policy1{1}: ROUTED, TUNNEL, reqid 1
policy1{1}: 192.168.101.0/24<http://192.168.101.0/24> === 10.10.101.0/24<http://10.10.101.0/24>
Security Associations (1 up, 0 connecting):
policy1[1]: ESTABLISHED 22 seconds ago, 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101]
policy1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4ee192d_i c18d1d43_o
policy1{2}: 192.168.101.0/24<http://192.168.101.0/24> === 10.10.101.0/24<http://10.10.101.0/24>
After some time:
sh-4.3# ipsec statusall policy1
Status of IKE charon daemon (weakSwan 5.9.5, Linux 4.1.35-rt41, ppc64):
uptime: 77 minutes, since May 16 09:15:14 2022
malloc: sbrk 2400256, mmap 0, used 354336, free 2045920
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default farp stroke vici updown xauth-generic counters Listening IP addresses:
10.10.5.1
192.168.101.11
192.168.10.1
192.168.50.2
172.16.100.1
Connections:
policy1: 172.16.100.1...172.16.100.101 IKEv2, dpddelay=60s
policy1: local: [172.16.100.1] uses pre-shared key authentication
policy1: remote: [172.16.100.101] uses pre-shared key authentication
policy1: child: 192.168.101.0/24<http://192.168.101.0/24> === 10.10.101.0/24<http://10.10.101.0/24> TUNNEL, dpdaction=clear
Routed Connections:
policy1{1}: ROUTED, TUNNEL, reqid 1
policy1{1}: 192.168.101.0/24<http://192.168.101.0/24> === 10.10.101.0/24<http://10.10.101.0/24>
Security Associations (2 up, 0 connecting):
policy1[2]: ESTABLISHED 38 minutes ago, 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101]
policy1[2]: IKEv2 SPIs: 518b7019c5d03118_i* 74fe5d2949eaed95_r, pre-shared key reauthentication in 17 seconds
policy1[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
policy1{13}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c9bab39c_i ca96f84a_o
policy1{13}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 18 minutes
policy1{13}: 192.168.101.0/24<http://192.168.101.0/24> === 10.10.101.0/24<http://10.10.101.0/24>
policy1[3]: ESTABLISHED 38 minutes ago, 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101]
policy1[3]: IKEv2 SPIs: 005c2ec500a6a55d_i c00aead9fa60759a_r*, pre-shared key reauthentication in 17 seconds
policy1[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
policy1{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c5fabaf0_i c5dad3ed_o
policy1{12}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 18 minutes
policy1{12}: 192.168.101.0/24<http://192.168.101.0/24> === 10.10.101.0/24<http://10.10.101.0/24>
Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com<mailto:makarandpradhan at is5com.com>
Website: www.iS5Com.com<http://www.iS5Com.com>
Confidentiality Notice:
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220530/6820583c/attachment-0001.html>
More information about the Users
mailing list