Hi 1. why have you changed/set the "rekeyfuzz=0%" - i suggest that you should NOT change any of the "default/pre-defined" settings that are used in the Expry-Rekeying formulae such as "rekeyfuzz" which i believe is 100% as default value.....
2. so except for "margintime" (which is correctly set to 1m in your case becos you have reduces lifetimes for both ChildSA and also the IKE-SAs), dont change any of the default settings...especially in the "../strongswan.d/charon.conf" file....keep them as is... 3. Since you are using IKEv2.....please use the option "reauth=no"....strongly suggested for all IKEv2 based tunnels regards Rajiv On Wed, May 18, 2022 at 6:53 PM Makarand Pradhan <[email protected]> wrote: > GM All, > > A quick update on the issue. > > I upgraded to 5.9.6 and things have improved a lot. The issue has not been > resolved completely but charon is now not hogging the CPU as much. > > After a 24 hour traffic run, I still see multiple IKE and IPSec SAs > created. All the same, not as many as I was noticing in 5.9.5. > > I started with 50 SAs. Now after 24 hours, I have 146. > > Routed Connections: > policy2{6}: ROUTED, TUNNEL, reqid 2 > policy2{6}: 10.10.102.0/24 === 192.168.102.0/24 > Security Associations (146 up, 0 connecting): > > Traffic is flowing, but CPU usage is way up. > > Would highly appreciate if anyone can suggest if I have missed a config in > charon.conf. Have tried but am not seeing any improvement. > > Hoping to hear comments/suggestions on the issue. > > Thanks and Regards, > Makarand Pradhan > Senior Software Engineer. > iS5 Communications Inc. > 5895 Ambler Dr, > Mississauga, Ontario > L4W 5B7 > Main Line: +1-844-520-0588 Ext. 129 > Direct Line: +1-289-724-2296 > Cell: +1-226-501-5666 > Fax:+1-289-401-5206 > Email: [email protected] > Website: www.iS5Com.com > > -----Original Message----- > From: Users <[email protected]> On Behalf Of Makarand > Pradhan > Sent: May 16, 2022 11:37 AM > To: [email protected] > Subject: [strongSwan] Multiple SAs after rekey with traffic. > > Good morning All, > > I am facing an issue where the number of SAs keep on going up and then > charon starts hogging the CPU. Will highly appreciate if anyone comment if > I have misconfigured some parameter or if this is a known issue? Details > below: > > We are running Strongswan 5.9.5 on ppc64, Linux kernel 4.1.35. > > It is noted that after a rekey timeout, a new SA is > created(ESTABLISHED/INSTALLED). This happens only with traffic. Over a > period of time, the number of SAs keep on increasing and then charon hogs > the CPU. > > Please find below the ipsec.conf that is being used and a log of my > session showing the increasing number of SAs. > > ipsec.conf > > sh-4.3# cat /usr/local/etc/ipsec.conf > config setup > charondebug=@all@ > cachecrls=yes > uniqueids=yes > strictcrlpolicy=no > > #####IS5##### > conn policy1 > type=tunnel > authby=secret > auto=route > keyexchange=ikev2 > ike=aes256-sha512-modp1536! > aggressive=no > ikelifetime=40m > esp=aes256-sha256-modp2048! > lifetime=20m > right=172.16.100.101 > rightid=172.16.100.101 > rightsubnet=10.10.101.0/24 > left=172.16.100.1 > leftid=172.16.100.1 > leftsubnet=192.168.101.0/24 > dpddelay=60s > mobike=no > dpdaction=clear > margintime=1m > rekeyfuzz=0% > leftcert= > > > e.g. Tunnel is set up: > > sh-4.3# date > Mon May 16 09:15:33 UTC 2022 > sh-4.3# ipsec status policy1 > Routed Connections: > policy1{1}: ROUTED, TUNNEL, reqid 1 > policy1{1}: 192.168.101.0/24 === 10.10.101.0/24 > Security Associations (1 up, 0 connecting): > policy1[1]: ESTABLISHED 22 seconds ago, > 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101] > policy1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4ee192d_i > c18d1d43_o > policy1{2}: 192.168.101.0/24 === 10.10.101.0/24 > > After some time: > > > sh-4.3# ipsec statusall policy1 > Status of IKE charon daemon (weakSwan 5.9.5, Linux 4.1.35-rt41, ppc64): > uptime: 77 minutes, since May 16 09:15:14 2022 > malloc: sbrk 2400256, mmap 0, used 354336, free 2045920 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 6 > loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random > nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp > dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr > kernel-netlink resolve socket-default farp stroke vici updown xauth-generic > counters Listening IP addresses: > 10.10.5.1 > 192.168.101.11 > 192.168.10.1 > 192.168.50.2 > 172.16.100.1 > Connections: > policy1: 172.16.100.1...172.16.100.101 IKEv2, dpddelay=60s > policy1: local: [172.16.100.1] uses pre-shared key authentication > policy1: remote: [172.16.100.101] uses pre-shared key authentication > policy1: child: 192.168.101.0/24 === 10.10.101.0/24 TUNNEL, > dpdaction=clear > Routed Connections: > policy1{1}: ROUTED, TUNNEL, reqid 1 > policy1{1}: 192.168.101.0/24 === 10.10.101.0/24 > Security Associations (2 up, 0 connecting): > policy1[2]: ESTABLISHED 38 minutes ago, > 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101] > policy1[2]: IKEv2 SPIs: 518b7019c5d03118_i* 74fe5d2949eaed95_r, > pre-shared key reauthentication in 17 seconds > policy1[2]: IKE proposal: > AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 > policy1{13}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c9bab39c_i > ca96f84a_o > policy1{13}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 > bytes_o, rekeying in 18 minutes > policy1{13}: 192.168.101.0/24 === 10.10.101.0/24 > policy1[3]: ESTABLISHED 38 minutes ago, > 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101] > policy1[3]: IKEv2 SPIs: 005c2ec500a6a55d_i c00aead9fa60759a_r*, > pre-shared key reauthentication in 17 seconds > policy1[3]: IKE proposal: > AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 > policy1{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c5fabaf0_i > c5dad3ed_o > policy1{12}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 > bytes_o, rekeying in 18 minutes > policy1{12}: 192.168.101.0/24 === 10.10.101.0/24 > > Kind rgds, > Makarand Pradhan > Senior Software Engineer. > iS5 Communications Inc. > 5895 Ambler Dr, > Mississauga, Ontario > L4W 5B7 > Main Line: +1-844-520-0588 Ext. 129 > Direct Line: +1-289-724-2296 > Cell: +1-226-501-5666 > Fax:+1-289-401-5206 > Email: [email protected] > Website: www.iS5Com.com > > > Confidentiality Notice: > This message is intended only for the named recipients. This message may > contain information that is confidential and/or exempt from disclosure > under applicable law. Any dissemination or copying of this message by > anyone other than a named recipient is strictly prohibited. If you are not > a named recipient or an employee or agent responsible for delivering this > message to a named recipient, please notify us immediately, and permanently > destroy this message and any copies you may have. Warning: Email may not be > secure unless properly encrypted. > >
