On Sun, 23 Jul 2017, Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES 
LIMITED at Cisco) wrote:

I am using Libreswan 3.15 in CentOS 6.8 running on VM.  Same version of 
Libreswan is used in the peer.

Please clarify the following queries-

1)   Observing that when the disk space nears 90% or more, any of the ipsec 
commands seems to hang and does not get completed. I observed that pluto log 
file (/var/lib/pluto.log)
occupied several Gigs. Any attempt to zero size this log file or reduce its 
size by removing few thousands lines of accumulated past logs does not resolve 
the issue.  This issue got
resolved after rebooting the VM.

Could someone clarity if there is an alternate way to resolve this issue ?

you can use logging with syslog and it can properly logrotate. Using
logfile= (or plutostderrlog=) leads to a file that has to be truncated
manually (and really requires a restart of the daemon).

Later versions have reduced a lot of logging. Also, do not run with
plutodebug= at all - it should not be needed for normal operation.

We are looking at adding another alternative for logging via dbus, which
would also move the responsibility of taking the logs and processing
them to another processor.

2)   In the current scenario, a single tunnel is setup between the two peers 
with multiple ipsec configuration files created to connect to many simulated 
(virtual) devices across this
Tunnel. Somehow – It appears that many connections is not getting established 
across this tunnel at a given time. Only limited numbers of connections succeed 
and the message “Cannot
communicate through IPSec Tunnel” is observed at the peer end for the remaining 

Is there any limitation in the number of connections that can pass across this 

There should not be any limitations. Although you might be running low
on entropy if setting up hunderds of connections between two peers.
Consider running jitterentropy-rngd or havegd on the hosts.

3)   Could someone please share the ipsec configuration file when multihomed 
IPs are involved for connecting to many simulated (virtual) devices?

Note that if you just change leftsubnet/rightsubnet, that you will be
using a shared IKE SA and not really simulating many clients. To do
that properly, it is best to use unique leftid/rightid and left/right
IP addresses.

Swan mailing list
  • ... Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES LIMITED at Cisco)
    • ... Paul Wouters

Reply via email to