Hi, I m using strongswan-5.3.0 for tunnel establishment. In that I m trying out libipsec which does userspace encryption/decryption.
In our lab I tested a scenario where I sent, 1. 20Mbps uplink traffic from the device where libipsec is running, to a remote server. 2. 80Mbps downlink traffic from the remote server to the device where libipsec is running. These two traffics are sent simultaneously using iperf tool. I see that charon's memory usage gradually shoots up, it goes upto 630MB before the device crashes with out of memory. Attaching the ipsec configuration at the device for the reference, # ipsec stautusall Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.10.49-perf-g9578e9c-dirty, armv7l): uptime: 3 hours, since May 21 12:39:32 2015 malloc: sbrk 262144, mmap 0, used 124296, free 137848 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg fips-prf gmp cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic xauth-eap Listening IP addresses: 10.206.1.195 192.168.16.1 192.168.17.1 192.168.18.1 192.168.19.1 192.168.20.1 192.168.21.1 192.168.22.1 Connections: home: 10.x.x.x....10.x.x.x IKEv2, dpddelay=200s home: local: [0005b9423...@picasso.com] uses EAP_MD5 authentication home: remote: uses pre-shared key authentication home: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[0005b9423...@picasso.com ]...10.x.x..x[a...@airvana.com] home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r, rekeying in 20 hours home[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 home{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i 000a238e_o home{1}: AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181 pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6 hours home{1}: 10.220.10.116/32 === 0.0.0.0/0 # ipsec listall List of registered IKE algorithms: encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des] TWOFISH_CBC[af-alg] integrity: HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA1_160[hmac] AES_CMAC_96[cmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac] HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_512[hmac] aead: hasher: HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] prf: PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1] dh-group: MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp] MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp] MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_CUSTOM[gmp] random-gen: RNG_STRONG[random] RNG_TRUE[random] nonce-gen: [nonce] List of loaded Plugins: charon: CUSTOM:libcharon NONCE_GEN CUSTOM:libcharon-receiver CUSTOM:kernel-ipsec CUSTOM:kernel-net CUSTOM:libcharon-receiver HASHER:HASH_SHA1 RNG:RNG_STRONG CUSTOM:socket aes: CRYPTER:AES_CBC-16 CRYPTER:AES_CBC-24 CRYPTER:AES_CBC-32 des: CRYPTER:3DES_CBC-24 CRYPTER:DES_CBC-8 CRYPTER:DES_ECB-8 sha1: HASHER:HASH_SHA1 PRF:PRF_KEYED_SHA1 sha2: HASHER:HASH_SHA224 HASHER:HASH_SHA256 HASHER:HASH_SHA384 HASHER:HASH_SHA512 md5: HASHER:HASH_MD5 random: RNG:RNG_STRONG RNG:RNG_TRUE nonce: NONCE_GEN RNG:RNG_WEAK x509: CERT_ENCODE:X509 HASHER:HASH_SHA1 CERT_DECODE:X509 HASHER:HASH_SHA1 PUBKEY:RSA (soft) PUBKEY:ECDSA (soft) PUBKEY:DSA (soft) CERT_ENCODE:X509_AC CERT_DECODE:X509_AC CERT_ENCODE:X509_CRL CERT_DECODE:X509_CRL CERT_ENCODE:X509_OCSP_REQUEST HASHER:HASH_SHA1 RNG:RNG_WEAK CERT_DECODE:X509_OCSP_RESPONSE CERT_ENCODE:PKCS10_REQUEST CERT_DECODE:PKCS10_REQUEST revocation: CUSTOM:revocation CERT_ENCODE:X509_OCSP_REQUEST (soft) CERT_DECODE:X509_OCSP_RESPONSE (soft) CERT_DECODE:X509_CRL (soft) CERT_DECODE:X509 (soft) FETCHER:(null) (soft) constraints: CUSTOM:constraints CERT_DECODE:X509 (soft) pubkey: CERT_ENCODE:TRUSTED_PUBKEY CERT_DECODE:TRUSTED_PUBKEY PUBKEY:RSA (soft) PUBKEY:ECDSA (soft) PUBKEY:DSA (soft) pkcs1: PRIVKEY:RSA PUBKEY:ANY PUBKEY:RSA pkcs7: CONTAINER_DECODE:PKCS7 CONTAINER_ENCODE:PKCS7_DATA CONTAINER_ENCODE:PKCS7_SIGNED_DATA CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA pkcs8: PRIVKEY:ANY PRIVKEY:RSA PRIVKEY:ECDSA pgp: PRIVKEY:ANY PRIVKEY:RSA PUBKEY:ANY PUBKEY:RSA CERT_DECODE:PGP dnskey: PUBKEY:ANY PUBKEY:RSA pem: PRIVKEY:ANY PRIVKEY:ANY HASHER:HASH_MD5 (soft) PRIVKEY:RSA PRIVKEY:RSA HASHER:HASH_MD5 (soft) PRIVKEY:ECDSA PRIVKEY:ECDSA HASHER:HASH_MD5 (soft) PRIVKEY:DSA (not loaded) PRIVKEY:DSA HASHER:HASH_MD5 (soft) PUBKEY:ANY PUBKEY:ANY PUBKEY:RSA PUBKEY:RSA PUBKEY:ECDSA (not loaded) PUBKEY:ECDSA PUBKEY:DSA (not loaded) PUBKEY:DSA CERT_DECODE:ANY CERT_DECODE:X509 (soft) CERT_DECODE:PGP (soft) CERT_DECODE:X509 CERT_DECODE:X509 CERT_DECODE:X509_CRL CERT_DECODE:X509_CRL CERT_DECODE:X509_OCSP_REQUEST (not loaded) CERT_DECODE:X509_OCSP_REQUEST CERT_DECODE:X509_OCSP_RESPONSE CERT_DECODE:X509_OCSP_RESPONSE CERT_DECODE:X509_AC CERT_DECODE:X509_AC CERT_DECODE:PKCS10_REQUEST CERT_DECODE:PKCS10_REQUEST CERT_DECODE:TRUSTED_PUBKEY CERT_DECODE:TRUSTED_PUBKEY CERT_DECODE:PGP CERT_DECODE:PGP CONTAINER_DECODE:PKCS12 (not loaded) CONTAINER_DECODE:PKCS12 af-alg: CRYPTER:DES_CBC-8 CRYPTER:DES_ECB-8 CRYPTER:3DES_CBC-24 CRYPTER:AES_CBC-16 CRYPTER:AES_CBC-24 CRYPTER:AES_CBC-32 CRYPTER:TWOFISH_CBC-16 CRYPTER:TWOFISH_CBC-24 CRYPTER:TWOFISH_CBC-32 fips-prf: PRF:PRF_FIPS_SHA1_160 PRF:PRF_KEYED_SHA1 gmp: DH:MODP_2048 RNG:RNG_STRONG DH:MODP_2048_224 RNG:RNG_STRONG DH:MODP_2048_256 RNG:RNG_STRONG DH:MODP_1536 RNG:RNG_STRONG DH:MODP_3072 RNG:RNG_STRONG DH:MODP_4096 RNG:RNG_STRONG DH:MODP_6144 RNG:RNG_STRONG DH:MODP_8192 RNG:RNG_STRONG DH:MODP_1024 RNG:RNG_STRONG DH:MODP_1024_160 RNG:RNG_STRONG DH:MODP_768 RNG:RNG_STRONG DH:MODP_CUSTOM RNG:RNG_STRONG PRIVKEY:RSA PRIVKEY_GEN:RSA RNG:RNG_TRUE PUBKEY:RSA PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1 HASHER:HASH_SHA1 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224 HASHER:HASH_SHA224 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256 HASHER:HASH_SHA256 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384 HASHER:HASH_SHA384 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512 HASHER:HASH_SHA512 PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5 HASHER:HASH_MD5 PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1 HASHER:HASH_SHA1 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224 HASHER:HASH_SHA224 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 HASHER:HASH_SHA256 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 HASHER:HASH_SHA384 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512 HASHER:HASH_SHA512 PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5 HASHER:HASH_MD5 PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1 PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1 RNG:RNG_WEAK cmac: PRF:PRF_AES128_CMAC CRYPTER:AES_CBC-16 SIGNER:AES_CMAC_96 CRYPTER:AES_CBC-16 hmac: PRF:PRF_HMAC_SHA1 HASHER:HASH_SHA1 PRF:PRF_HMAC_MD5 HASHER:HASH_MD5 PRF:PRF_HMAC_SHA2_256 HASHER:HASH_SHA256 PRF:PRF_HMAC_SHA2_384 HASHER:HASH_SHA384 PRF:PRF_HMAC_SHA2_512 HASHER:HASH_SHA512 SIGNER:HMAC_SHA1_96 HASHER:HASH_SHA1 SIGNER:HMAC_SHA1_128 HASHER:HASH_SHA1 SIGNER:HMAC_SHA1_160 HASHER:HASH_SHA1 SIGNER:HMAC_MD5_96 HASHER:HASH_MD5 SIGNER:HMAC_MD5_128 HASHER:HASH_MD5 SIGNER:HMAC_SHA2_256_128 HASHER:HASH_SHA256 SIGNER:HMAC_SHA2_256_256 HASHER:HASH_SHA256 SIGNER:HMAC_SHA2_384_192 HASHER:HASH_SHA384 SIGNER:HMAC_SHA2_384_384 HASHER:HASH_SHA384 SIGNER:HMAC_SHA2_512_256 HASHER:HASH_SHA512 SIGNER:HMAC_SHA2_512_512 HASHER:HASH_SHA512 attr: CUSTOM:attr kernel-libipsec: CUSTOM:kernel-ipsec CUSTOM:kernel-libipsec-router CUSTOM:libcharon-receiver kernel-netlink: CUSTOM:kernel-ipsec CUSTOM:kernel-net resolve: CUSTOM:resolve socket-default: CUSTOM:socket CUSTOM:kernel-ipsec (soft) stroke: CUSTOM:stroke PRIVKEY:RSA (soft) PRIVKEY:ECDSA (soft) PRIVKEY:DSA (soft) CERT_DECODE:ANY (soft) CERT_DECODE:X509 (soft) CERT_DECODE:X509_CRL (soft) CERT_DECODE:X509_AC (soft) CERT_DECODE:TRUSTED_PUBKEY (soft) updown: CUSTOM:updown eap-identity: EAP_SERVER:ID EAP_CLIENT:ID eap-md5: EAP_SERVER:MD5 HASHER:HASH_MD5 RNG:RNG_WEAK EAP_CLIENT:MD5 HASHER:HASH_MD5 RNG:RNG_WEAK xauth-generic: XAUTH_SERVER:generic XAUTH_CLIENT:generic xauth-eap: XAUTH_SERVER:eap # cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file config setup charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1 dmn 1" conn home left=10.x.x.x leftid=0005b9423...@picasso.com leftauth=eap-md5 rightauth=psk leftsourceip=%config leftfirewall=yes ike=3des-sha1-prfsha1-modp1024! esp=aes128-sha1! right=10.x.x.x rightsubnet=0.0.0.0/0 rightid=%any auto=add mobike=no dpddelay=200s dpdaction=clear rekey=yes ikelifetime=86400 lifetime=36000 reauth=no rekeymargin=3m keyingtries=1 keyexchange=ikev2 cat /etc/strongswan.conf # strongswan.conf - strongSwan configuration file charon { # number of worker threads in charon threads = 16 close_ike_on_child_failure = yes retransmit_tries = 20 retransmit_timeout = 20 retransmit_base = 1 keep_alive = 20s # send strongswan vendor ID? # send_vendor_id = yes plugins { sql { # loglevel to log into sql database loglevel = -1 # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost /database } resolve{ file = /etc/resolvtunnel.conf } kernel-netlink { fwmark = !0x42 } socket-default { fwmark = 0x42 } kernel-libipsec { allow_peer_ts = yes } } Let me know if this is an existing issue.. Please let me know if any further information is required. Regards, Sriram.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users