Re: [strongSwan] Memory leak when routing internet traffic via VPN
Hi, > If I have "leftsubnet=172.30.0.0/16,0.0.0.0/0", the server leaks > memory - available memory decreases steadily until all memory+swap > are consumed and the server needs to be rebooted. No processes are > using this memory - the sum of all shared + RSS is much lower than > what htop reports as used, and nothing I can kill reclaims it. Not sure if it is related, but have a look at the following discussion: https://lore.kernel.org/netdev/CAMnf+PjGq2qsZzg=+H5Z5kO+PSQbo=R0MHW5rv1CWrqoS=b...@mail.gmail.com/ Kind regards Martin
[strongSwan] Memory leak when routing internet traffic via VPN
Hi list, Trying to troubleshoot a weird memory leak on my VPN server. I have a roadwarrior setup described here - https://lists.strongswan.org/pipermail/users/2019-October/013878.html I have nat and mangle iptables rules set up as per the strongswan wiki to forward internet-bound traffic via NAT. If I have "leftsubnet=172.30.0.0/16,0.0.0.0/0", the server leaks memory - available memory decreases steadily until all memory+swap are consumed and the server needs to be rebooted. No processes are using this memory - the sum of all shared + RSS is much lower than what htop reports as used, and nothing I can kill reclaims it. If I remove the 0.0.0.0/0 traffic selector so that the clients access the internet directly instead of over the VPN, then memory usage is flat. Alternatively, if I leave the 0.0.0.0/0 traffic selector but turn off as many internet-using things on the clients as I can, memory usage is flat. It really looks like traffic being routed via NAT over the VPN is causing some kind of memory leak. Does anyone have any ideas about how to start troubleshoot or fix this? Alex
Re: [strongSwan] OCSP update dime
Hello Noel ? any information on this item -Original Message- From: Noel Kuntze Sent: Wednesday, November 6, 2019 3:50 PM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] OCSP update dime I think it takes all of them and tries them in order or something, I'd need to look at the code. Am 07.11.19 um 00:11 schrieb Modster, Anthony: > Hello Noel > > If the URLs are not set, ? will strongswan read them from the User Cert > swanctl: authorities..ocsp_uris “comma-separated list of OCSP URL’s” > > ? would it be the same for CPD > > -Original Message- > From: Noel Kuntze > Sent: Wednesday, November 06, 2019 2:52 PM > To: Modster, Anthony ; > users@lists.strongswan.org > Subject: Re: [strongSwan] OCSP update dime > > Check the man page for swanctl.conf on the system running strongSwan. Search > for authorities or scroll to the bottom of the page. > The possibility to configure CRL and OCSP URIs was added in 5.3.3. > > Kind regards > > Noel > > Am 06.11.19 um 23:16 schrieb Modster, Anthony: >> ? were are the configuration parameters for OCSP >> Note: we are using swanctl (VICI) >> >> >> -Original Message- >> From: Noel Kuntze >> Sent: Wednesday, November 06, 2019 2:13 PM >> To: Modster, Anthony ; >> users@lists.strongswan.org >> Subject: Re: [strongSwan] OCSP update dime >> >> Answers and question as follows: >> >> Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory >> A: CRL in ipsec.d/crls or fetched dynamically using configured (in >> ipsec.conf ca section or swanctl authority section) CRL URIs or CRL URI >> encoded in CA certificate >> >> Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL >> A: Yes. >> >> Am 06.11.19 um 22:46 schrieb Modster, Anthony: >>> Thanks >>> See below (A.M.) >>> >>> -Original Message- >>> From: Noel Kuntze >>> Sent: Wednesday, November 06, 2019 1:35 PM >>> To: Modster, Anthony ; >>> users@lists.strongswan.org >>> Subject: Re: [strongSwan] OCSP update dime >>> >>> Hello Anthony, >>> >>> The exact paragraph is the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you > must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information > on the certificate status. >>> >>> The paragraph gives you the following information: >>> 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed >>> (does not pertain OCSP) >>> (A.M.) ? are the methods of fetch: CPD and x509 CRL directory >>> >>> 2) If you need to get new information about revocations sooner than the >>> nextUpdate time, then either decrease the nextUpdate time in the next CRL >>> file you issue or use OCSP (Online Certificate Status Protocol) instead. >>> OCSP works via a HTTP request asking the OCSP responder if a given >>> certificate (identified by its hash) is valid at the current time or not. >>> >>> (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL >>> >>> Kind regards >>> >>> Noel >>> >>> Am 06.11.19 um 22:31 schrieb Modster, Anthony: Hello ? then what is Andreas referencing, below is the issue reported https://wiki.strongswan.org/issues/568 Hi Jim, the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status. Andreas -Original Message- From: Noel Kuntze Sent: Wednesday, November 06, 2019 1:27 PM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] OCSP update dime Hello, The request doesn't really make sense. There's no OCSP nextUpdate time, that's part of a CRL. Kind regards Noel Am 06.11.19 um 00:03 schrieb Modster, Anthony: > Hello > > > > ? what is the nextUpdate time > > ? is it configurable > > > > https://wiki.strongswan.org/issues/568 > > > > Thanks > > > >>> >> >
Re: [strongSwan] application hook for CPD
Thanks -Original Message- From: Noel Kuntze Sent: Monday, November 11, 2019 11:41 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] application hook for CPD That's what the first sentence is about. Am 11.11.19 um 20:39 schrieb Modster, Anthony: > ? how about the ErrorNotifyPlugin > > > -Original Message- > From: Noel Kuntze > Sent: Monday, November 11, 2019 11:14 AM > To: Modster, Anthony ; > users@lists.strongswan.org > Subject: Re: [strongSwan] application hook for CPD > > Hello Anthony, > > Nope, there is no alert for that in error_notify. I didn't find one in the > vici plugin sources for CRLs either. > > Kind regards > Noel > > Am 11.11.19 um 19:01 schrieb Modster, Anthony: >> Hello >> >> >> >> Is there any information on this item? >> >> >> >> Also, ? is there an event notification for CPD loading >> >> if a CRL is in cache memory and has not expired, and a CPD is uploaded. >> >> >> >> *From:* Modster, Anthony >> *Sent:* Friday, November 08, 2019 9:41 AM >> *To:* users@lists.strongswan.org >> *Subject:* application hook for CPD >> >> >> >> Hello >> >> >> >> ? does VICI or “error notify plugin” provide a callback when CPD has loaded >> a CRL >> >> >> >> CDP enabled >> >> There is a loaded CRL in memory, and has expired >> >> CPD loads a new CRL >> >> >> >> Note: In this case charon will only load to memory the new CRL, if expired, >> or the cache has been flushed manually. >> >> >> >> Thanks >> >> >> >> >> >
Re: [strongSwan] application hook for CPD
That's what the first sentence is about. Am 11.11.19 um 20:39 schrieb Modster, Anthony: > ? how about the ErrorNotifyPlugin > > > -Original Message- > From: Noel Kuntze > Sent: Monday, November 11, 2019 11:14 AM > To: Modster, Anthony ; > users@lists.strongswan.org > Subject: Re: [strongSwan] application hook for CPD > > Hello Anthony, > > Nope, there is no alert for that in error_notify. I didn't find one in the > vici plugin sources for CRLs either. > > Kind regards > Noel > > Am 11.11.19 um 19:01 schrieb Modster, Anthony: >> Hello >> >> >> >> Is there any information on this item? >> >> >> >> Also, ? is there an event notification for CPD loading >> >> if a CRL is in cache memory and has not expired, and a CPD is uploaded. >> >> >> >> *From:* Modster, Anthony >> *Sent:* Friday, November 08, 2019 9:41 AM >> *To:* users@lists.strongswan.org >> *Subject:* application hook for CPD >> >> >> >> Hello >> >> >> >> ? does VICI or “error notify plugin” provide a callback when CPD has loaded >> a CRL >> >> >> >> CDP enabled >> >> There is a loaded CRL in memory, and has expired >> >> CPD loads a new CRL >> >> >> >> Note: In this case charon will only load to memory the new CRL, if expired, >> or the cache has been flushed manually. >> >> >> >> Thanks >> >> >> >> >> > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] application hook for CPD
? how about the ErrorNotifyPlugin -Original Message- From: Noel Kuntze Sent: Monday, November 11, 2019 11:14 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] application hook for CPD Hello Anthony, Nope, there is no alert for that in error_notify. I didn't find one in the vici plugin sources for CRLs either. Kind regards Noel Am 11.11.19 um 19:01 schrieb Modster, Anthony: > Hello > > > > Is there any information on this item? > > > > Also, ? is there an event notification for CPD loading > > if a CRL is in cache memory and has not expired, and a CPD is uploaded. > > > > *From:* Modster, Anthony > *Sent:* Friday, November 08, 2019 9:41 AM > *To:* users@lists.strongswan.org > *Subject:* application hook for CPD > > > > Hello > > > > ? does VICI or “error notify plugin” provide a callback when CPD has loaded a > CRL > > > > CDP enabled > > There is a loaded CRL in memory, and has expired > > CPD loads a new CRL > > > > Note: In this case charon will only load to memory the new CRL, if expired, > or the cache has been flushed manually. > > > > Thanks > > > > >
Re: [strongSwan] application hook for CPD
Hello Anthony, Nope, there is no alert for that in error_notify. I didn't find one in the vici plugin sources for CRLs either. Kind regards Noel Am 11.11.19 um 19:01 schrieb Modster, Anthony: > Hello > > > > Is there any information on this item? > > > > Also, ? is there an event notification for CPD loading > > if a CRL is in cache memory and has not expired, and a CPD is uploaded. > > > > *From:* Modster, Anthony > *Sent:* Friday, November 08, 2019 9:41 AM > *To:* users@lists.strongswan.org > *Subject:* application hook for CPD > > > > Hello > > > > ? does VICI or “error notify plugin” provide a callback when CPD has loaded a > CRL > > > > CDP enabled > > There is a loaded CRL in memory, and has expired > > CPD loads a new CRL > > > > Note: In this case charon will only load to memory the new CRL, if expired, > or the cache has been flushed manually. > > > > Thanks > > > > > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] application hook for CPD
Hello Is there any information on this item? Also, ? is there an event notification for CPD loading if a CRL is in cache memory and has not expired, and a CPD is uploaded. From: Modster, Anthony Sent: Friday, November 08, 2019 9:41 AM To: users@lists.strongswan.org Subject: application hook for CPD Hello ? does VICI or "error notify plugin" provide a callback when CPD has loaded a CRL CDP enabled There is a loaded CRL in memory, and has expired CPD loads a new CRL Note: In this case charon will only load to memory the new CRL, if expired, or the cache has been flushed manually. Thanks
Re: [strongSwan] Unstable strongSwan-ASA tunnel
Hi Santiago, > I'm not an expert, but according to the logs it seems it might have > something to do with rekeying. Yep, looks that way. First, I've never seen this message before: > Nov 9 23:31:17 RouterA charon: 15[IKE] peer didn't accept DH group > MODP_1024, it requested MODP_NONE It seems a bit strange, but I guess the peer doesn't want to use DH during CHILD_SA rekeying. Technically, it should just ignore the KE payload and select a proposal without DH group (or with MODP_NONE). If there isn't one, the response should probably be NO_PROPOSAL_CHOSEN and not INVALID_KE_PAYLOAD. What's interesting is that strongSwan actually continues without a KE payload, while the proposal is obviously not changed and still proposes modp1024, so it won't actually match later and causes this error: > Nov 9 23:31:17 RouterA charon: 08[CFG] received proposals: > ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ > Nov 9 23:31:17 RouterA charon: 08[CFG] configured proposals: > ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ > Nov 9 23:31:17 RouterA charon: 08[IKE] no acceptable proposal found You should either enable PFS on the Cisco box, or disable it on the other. Regards, Tobias
