> I know these settings and they look promising.

Why not use them then?

> Unfortunately as I said before they seem to be useless since the counter is 
> increased too late in the IKE_SA manager.

Yeah, I noticed that it's quite late.  Since strongSwan calculates the
IKE keys while processing the IKE_SA_INIT request (and not e.g. when
processing the IKE_AUTH request) it might be better to increase this
counter when the IKE_SA is checked out.  But even so I guess there could
be lots of packets queued initially until a number of them have been
processed to increase the half-open SA count.  I suppose you could
counter that by some rate limiting in the firewall (e.g. only allow a
few UDP packet/s per source IP).  We currently also don't recheck the
limits when processing queued packets (they are only checked early in
the receiver before they get queued).

> We simulated a DoS attack and charon did not handle it well (see the logs in 
> the initial question).

How exactly?  And what settings did you use on the responder?  (I saw
that there are e.g. only 16 threads and I guess you didn't set a job limit.)


Reply via email to