> I know these settings and they look promising. Why not use them then?
> Unfortunately as I said before they seem to be useless since the counter is > increased too late in the IKE_SA manager. Yeah, I noticed that it's quite late. Since strongSwan calculates the IKE keys while processing the IKE_SA_INIT request (and not e.g. when processing the IKE_AUTH request) it might be better to increase this counter when the IKE_SA is checked out. But even so I guess there could be lots of packets queued initially until a number of them have been processed to increase the half-open SA count. I suppose you could counter that by some rate limiting in the firewall (e.g. only allow a few UDP packet/s per source IP). We currently also don't recheck the limits when processing queued packets (they are only checked early in the receiver before they get queued). > We simulated a DoS attack and charon did not handle it well (see the logs in > the initial question). How exactly? And what settings did you use on the responder? (I saw that there are e.g. only 16 threads and I guess you didn't set a job limit.) Regards, Tobias