Re: [strongSwan] Memory leak in charon?

2022-08-05 Thread Andreas Steffen 

Hi Michael,

I'm not aware of any memory leak that we fixed. You could run charon
compiled with the --enable-leak-detective configure option and check
for any memory leaks when you stop the daemon.

Regards

Andreas

On 05.08.22 09:46, Michael Schwartzkopff wrote:

Hi,


we have a strongswan 5.9.5 installed on a embedded device.

We see a increase of memory usage of the charon process of about 200 
kB/hour.


The leak might be somehow connected to rekeying since the leak rate was 
reduced with the rekeying rate. Also perhaps to logging, since we 
reduced verbosity to decrease leak rate.



As far as I read the changelog, no memory leak was fixed in 5.9.6 and 
5.9.7.



Any idea how to proceed to pin down the cause of the leak? 200 kB/h 
impacts the embedded device.




Mit freundlichen Grüßen,

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
==

Re: [strongSwan] Failure of chacha algorithm use?

2022-08-05 Thread Andreas Steffen 

Hi Michael,

swanctl shows IKE algorithms only, loaded ESP algorithms are not
reported.

On my Ubuntu 22.04 system "sudo modprobe chachapoly1305" loads CHACHA
AEAD support in the kernel and is then listed by "lsmod".

Regards Andreas


On 05.08.22 10:03, Michael Schwartzkopff wrote:

Hi,


we wanted to do the use the CHACHA (chacha20poly1305) for ESP encryption.

We have a self-compiled kernel and a self-compiled strongswan (5.9.5) on 
our embedded device.


On our test systems (ubuntu, Alma) everything works. But the embedded 
systems logs:



[ENC] parsed CREATE_CHILD_SA response 3 [ N(USE_TRANSP) SA No KE TSi TSr ]
[CFG] selected proposal: ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ
[KNL] received netlink error: No such file or directory (2)
[KNL] unable to add SAD entry with SPI c9760420 (FAILED)


# swanctl -g tells us:

(...)

aead:
(...)

   CHACHA20_POLY1305[openssl]


Do we miss a kernel module?

As far as I can see, we compiled the necessary module into the kernel, 
which option would the algorithm be in the kernel?



Mit freundlichen Grüßen,



--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
strongSec GmbH, 8952 Schlieren (Switzerland)
==