Hi Emeric, > Questions: > - why is the this counter increased after the first message has successfully > been handled from the job queue?
The half-open SA counter is increased whenever an IKE_SA object is checked into the IKE_SA manager after processing (or initiating) an IKE_SA_INIT request, and reduced when an IKE_SA is checked in after successfully establishing it with the last IKE_AUTH request. > - is charon.init_limit_job_load the only relevant setting for DoS protection? No, there are several others. The first is charon.cookie_threshold (and charon.dos_protection), which causes COOKIEs to get returned if the global number of half-open SAs exceeds the limit, which helps if the IKE_SA_INITs are sent from fake IPs. If the requests are sent from real hosts that actually retry initiating with the returned COOKIE payload and (if they send multiple requests) modify the nonces/KE payload the next option is charon.block_threshold, which sets a limit for half-open SAs per source IP. Then the next limit is charon.init_limit_half_open, which drops IKE_SA_INITs if the global half-open SA count exceeds a certain number. Similarly, the charon.init_limit_job_load option will cause IKE_SA_INITs to get dropped if the total number of queued jobs exceeds a certain number. Next are options that might help processing the queued jobs faster, e.g. using hash tables in the IKE_SA manager [1] and optimizing thread allocation [2]. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable [2] https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
