Hi, I'm encountering the situation where Charon crashes after trying to initiate 990+ IKE SAs. What we're trying to do here is a stress test against our VPN server.
> Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: 13[IKE] IKE_SA CONN00988[988] > established between 100.84.217.47[INIT00988]...1.2.3.4[1.2.3.4] > Nov 17 21:54:24 ip-100-84-217-47 charon: 13[ENC] generating AGGRESSIVE > request 0 [ HASH NAT-D NAT-D ] > Nov 17 21:54:24 ip-100-84-217-47 charon: 13[NET] sending packet: from > 100.84.217.47[10988] to 1.2.3.4[4500] (108 bytes) > Nov 17 21:54:24 ip-100-84-217-47 charon: 13[ENC] generating QUICK_MODE > request 4075658581 [ HASH SA No KE ID ID ] > Nov 17 21:54:24 ip-100-84-217-47 charon: 13[NET] sending packet: from > 100.84.217.47[10988] to 1.2.3.4[4500] (316 bytes) > Nov 17 21:54:24 ip-100-84-217-47 charon: 05[IKE] initiating Aggressive Mode > IKE_SA CONN00997[997] to 1.2.3.4 > Nov 17 21:54:24 ip-100-84-217-47 charon: 05[ENC] generating AGGRESSIVE > request 0 [ SA KE No ID V V V V V ] > Nov 17 21:54:24 ip-100-84-217-47 charon: 05[NET] sending packet: from > 100.84.217.47[10997] to 1.2.3.4[4500] (367 bytes) > Nov 17 21:54:24 ip-100-84-217-47 charon: 06[CFG] received stroke: add > connection 'CONN00998' > Nov 17 21:54:24 ip-100-84-217-47 charon: 06[CFG] added configuration > 'CONN00998' > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: 13[IK*** buffer overflow > detected ***: /usr/lib/ipsec/charon terminated > Nov 17 21:54:24 ip-100-84-217-47 charon: 10[CFG] received stroke: initiate > '10_akei00998' > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: reading stroke response failed > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: connecting to > 'unix:///var/run/charon.ctl' failed: Connection refused > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: failed to connect to stroke > socket 'unix:///var/run/charon.ctl' > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: connecting to > 'unix:///var/run/charon.ctl' failed: Connection refused > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: failed to connect to stroke > socket 'unix:///var/run/charon.ctl' > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: connecting to > 'unix:///var/run/charon.ctl' failed: Connection refused > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: failed to connect to stroke > socket 'unix:///var/run/charon.ctl' > Nov 17 21:54:24 ip-100-84-217-47 ipsec[2175]: charon has died -- restart > scheduled (5sec) > Nov 17 21:54:25 ip-100-84-217-47 systemd[1]: Started Session 4 of user ubuntu. > Nov 17 21:54:29 ip-100-84-217-47 charon: 00[DMN] Starting IKE charon daemon > (strongSwan 5.6.2, Linux 5.4.0-1029-aws, x86_64) Could anybody tell me what I should do differently, so that it can initiate up to 20,000 IKE SAs? Here's the config I'm using on the initiator side... > config setup > conn %default > right=1.2.3.4 > ikelifetime=3600s > keylife=28800s > rekeymargin=3m > keyingtries=1 > keyexchange=ikev1 > leftauth=psk > rightauth=psk > ike=aes128-sha1-modp1024! > esp=aes128-sha1-modp1024! > authby=secret > aggressive=yes > rightsubnet=100.110.171.0/24 > auto=add > conn CONN00001 > leftid=@INIT00001 > leftsubnet=10.1.1.0/24 > leftikeport=10001 > rightikeport=4500 Any suggestions or comments would be greatly appreciated. Best regards, jellybeanshiba
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
