Hi,
We are using strongSwan current Release 4.6.2 on Linux (RHEL 5.3, kernel
2.6.32).
We are trying to create/initiate 10,000 ipsec tunnels (SAs) from the Linux box
running strongSwan ipsec, towards one remote gateway.
1) We have observed that upto 3000 connections, charon works fine and is
able to initiate and establish connections.
2) On increasing the number of connections (entries in ipsec.conf file) to
4000, charon crashes and respawns randomly during tunnel creations:
Apr 11 14:51:30 femtoslave3 charon: 89[DMN] thread 89 received 11
Apr 11 14:51:30 femtoslave3 charon: 89[DMN] killing ourself, received critical
signal
No core dump in this case.
3) On increasing the number of connections further to 10,000, Charon
process crashes during loading of the ipsec.conf file itself (ipsec.conf file
has 10,000 conn <xx> entries), with out of memory error:
Apr 12 15:22:29 femtoslave3 charon: 74[LIB] loaded certificate file
'/etc/ipsec.d/certs/FAP-signed-by-ca-5894.pem'
Apr 12 15:22:29 femtoslave3 charon: 74[CFG] added configuration 'host_5895'
Apr 12 15:22:29 femtoslave3 charon: 71[CFG] received stroke: add connection
'host_5896'
Apr 12 12:52:29 femtoslave3 out of memory [5196]
Apr 12 12:52:29 femtoslave3 out of memory [5196]
The backtrace of core dump is as below:
#0 0xb78103ce in backtrace_create (skip=2) at utils/backtrace.c:177
#1 0x080544e9 in segv_handler (signal=11) at daemon.c:531
#2 <signal handler called>
#3 element_create (value=0x8144ec0) at utils/linked_list.c:56
#4 0xb780e1a5 in insert_last (this=0xbfffff58, item=0x8144ec0) at
utils/linked_list.c:465
#5 0xb7807e47 in unique_check (list=0xbfffff58, in=0x9978cecc, out=0x9978cf3c)
at crypto/crypto_factory.c:567
#6 0xb780ee7e in enumerate_filter (this=0xbfffffd8, o1=0x9978cf3c,
o2=0x9978cf38, o3=0x9978cf34, o4=0x9978cf30, o5=0x9978cf2c)
at utils/enumerator.c:431
#7 0xb780ee2e in enumerate_filter (this=0xbfffffb8, o1=0x9978cf74, o2=0x2,
o3=0x0, o4=0xc, o5=0xb7816060) at utils/enumerator.c:429
#8 0x0804fea9 in proposal_create_default (protocol=PROTO_IKE) at
config/proposal.c:795
#9 0xb77b0902 in add_proposals (this=<value optimized out>, string=0x0,
ike_cfg=0xbffff9c0, child_cfg=0x0) at stroke_config.c:181
#10 0xb77b15c5 in add (this=0x943b078, msg=0x9978d0f0) at stroke_config.c:238
#11 0xb77afd77 in process (ctx=0x50f53008) at stroke_socket.c:194
#12 0x0805ef4d in execute (this=0xbfff4cc8) at
processing/jobs/callback_job.c:145
#13 0x08060815 in process_jobs (this=0x8142ee8) at processing/processor.c:123
#14 0x4700949b in start_thread () from /lib/libpthread.so.0
#15 0x46f6042e in clone () from /lib/libc.so.6
Could you please help with this issue.
If there is any known limitation for charon to establish/initiate huge number
of IPSec connections ?
Thanks,
Munish
===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
