Thanks Miroslav. I did that. Regards, Sriram
On Fri, May 22, 2015 at 2:38 PM, Miroslav Svoboda <[email protected]> wrote: > I suppose you may want to create a new bug report for this issue. > You can do it here: > https://wiki.strongswan.org/projects/strongswan/issues/new > You would need to create an account, unless you already had one. > > Miroslav > > On Friday, May 22, 2015 at 8:44:44 AM UTC+2, Sriram wrote: >> >> >> ---------- Forwarded message ---------- >> From: Sriram <[email protected]> >> Date: Fri, May 22, 2015 at 8:47 AM >> Subject: [strongSwan] Encryption/Decryption with Libipsec - issue. >> To: [email protected] >> >> >> Hi, >> >> I m using strongswan-5.3.0 for tunnel establishment. In that I m trying >> out libipsec which does userspace encryption/decryption. >> >> In our lab I tested a scenario where I sent, >> >> 1. 20Mbps uplink traffic from the device where libipsec is running, to a >> remote server. >> 2. 80Mbps downlink traffic from the remote server to the device where >> libipsec is running. >> >> These two traffics are sent simultaneously using iperf tool. >> I see that charon's memory usage gradually shoots up, it goes upto 630MB >> before the device crashes with out of memory. >> >> Attaching the ipsec configuration at the device for the reference, >> # ipsec stautusall >> Status of IKE charon daemon (strongSwan 5.3.0, Linux >> 3.10.49-perf-g9578e9c-dirty, armv7l): >> uptime: 3 hours, since May 21 12:39:32 2015 >> malloc: sbrk 262144, mmap 0, used 124296, free 137848 >> worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, >> scheduled: 5 >> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pgp dnskey pem af-alg >> fips-prf gmp cmac hmac attr kernel-libipsec kernel-netlink resolve >> socket-default stroke updown eap-identity eap-md5 xauth-generic xauth-eap >> Listening IP addresses: >> 10.206.1.195 >> 192.168.16.1 >> 192.168.17.1 >> 192.168.18.1 >> 192.168.19.1 >> 192.168.20.1 >> 192.168.21.1 >> 192.168.22.1 >> Connections: >> home: 10.x.x.x....10.x.x.x IKEv2, dpddelay=200s >> home: local: [[email protected]] uses EAP_MD5 >> authentication >> home: remote: uses pre-shared key authentication >> home: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear >> Security Associations (1 up, 0 connecting): >> home[1]: ESTABLISHED 3 hours ago, 10.x.x.x[ >> [email protected]]...10.x.x..x[[email protected]] >> home[1]: IKEv2 SPIs: dd59a64f073fe3ab_i* c122b599ceb1c01c_r, >> rekeying in 20 hours >> home[1]: IKE proposal: >> 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 >> home{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 36d3f9bc_i >> 000a238e_o >> home{1}: AES_CBC_128/HMAC_SHA1_96, 86081585971 bytes_i (64823181 >> pkts, 9s ago), 21762234249 bytes_o (16390835 pkts, 9s ago), rekeying in 6 >> hours >> home{1}: 10.220.10.116/32 === 0.0.0.0/0 >> # ipsec listall >> >> List of registered IKE algorithms: >> >> encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des] >> TWOFISH_CBC[af-alg] >> integrity: HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac] >> HMAC_SHA1_160[hmac] AES_CMAC_96[cmac] >> HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac] >> HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac] >> HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac] >> HMAC_SHA2_512_512[hmac] >> aead: >> hasher: HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] >> HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] >> prf: PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac] >> PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac] >> PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac] >> PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1] >> dh-group: MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp] >> MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp] >> MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp] >> MODP_2048_256[gmp] MODP_CUSTOM[gmp] >> random-gen: RNG_STRONG[random] RNG_TRUE[random] >> nonce-gen: [nonce] >> >> List of loaded Plugins: >> >> charon: >> CUSTOM:libcharon >> NONCE_GEN >> CUSTOM:libcharon-receiver >> CUSTOM:kernel-ipsec >> CUSTOM:kernel-net >> CUSTOM:libcharon-receiver >> HASHER:HASH_SHA1 >> RNG:RNG_STRONG >> CUSTOM:socket >> aes: >> CRYPTER:AES_CBC-16 >> CRYPTER:AES_CBC-24 >> CRYPTER:AES_CBC-32 >> des: >> CRYPTER:3DES_CBC-24 >> CRYPTER:DES_CBC-8 >> CRYPTER:DES_ECB-8 >> sha1: >> HASHER:HASH_SHA1 >> PRF:PRF_KEYED_SHA1 >> sha2: >> HASHER:HASH_SHA224 >> HASHER:HASH_SHA256 >> HASHER:HASH_SHA384 >> HASHER:HASH_SHA512 >> md5: >> HASHER:HASH_MD5 >> random: >> RNG:RNG_STRONG >> RNG:RNG_TRUE >> nonce: >> NONCE_GEN >> RNG:RNG_WEAK >> x509: >> CERT_ENCODE:X509 >> HASHER:HASH_SHA1 >> CERT_DECODE:X509 >> HASHER:HASH_SHA1 >> PUBKEY:RSA (soft) >> PUBKEY:ECDSA (soft) >> PUBKEY:DSA (soft) >> CERT_ENCODE:X509_AC >> CERT_DECODE:X509_AC >> CERT_ENCODE:X509_CRL >> CERT_DECODE:X509_CRL >> CERT_ENCODE:X509_OCSP_REQUEST >> HASHER:HASH_SHA1 >> RNG:RNG_WEAK >> CERT_DECODE:X509_OCSP_RESPONSE >> CERT_ENCODE:PKCS10_REQUEST >> CERT_DECODE:PKCS10_REQUEST >> revocation: >> CUSTOM:revocation >> CERT_ENCODE:X509_OCSP_REQUEST (soft) >> CERT_DECODE:X509_OCSP_RESPONSE (soft) >> CERT_DECODE:X509_CRL (soft) >> CERT_DECODE:X509 (soft) >> FETCHER:(null) (soft) >> constraints: >> CUSTOM:constraints >> CERT_DECODE:X509 (soft) >> pubkey: >> CERT_ENCODE:TRUSTED_PUBKEY >> CERT_DECODE:TRUSTED_PUBKEY >> PUBKEY:RSA (soft) >> PUBKEY:ECDSA (soft) >> PUBKEY:DSA (soft) >> pkcs1: >> PRIVKEY:RSA >> PUBKEY:ANY >> PUBKEY:RSA >> pkcs7: >> CONTAINER_DECODE:PKCS7 >> CONTAINER_ENCODE:PKCS7_DATA >> CONTAINER_ENCODE:PKCS7_SIGNED_DATA >> CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA >> pkcs8: >> PRIVKEY:ANY >> PRIVKEY:RSA >> PRIVKEY:ECDSA >> pgp: >> PRIVKEY:ANY >> PRIVKEY:RSA >> PUBKEY:ANY >> PUBKEY:RSA >> CERT_DECODE:PGP >> dnskey: >> PUBKEY:ANY >> PUBKEY:RSA >> pem: >> PRIVKEY:ANY >> PRIVKEY:ANY >> HASHER:HASH_MD5 (soft) >> PRIVKEY:RSA >> PRIVKEY:RSA >> HASHER:HASH_MD5 (soft) >> PRIVKEY:ECDSA >> PRIVKEY:ECDSA >> HASHER:HASH_MD5 (soft) >> PRIVKEY:DSA (not loaded) >> PRIVKEY:DSA >> HASHER:HASH_MD5 (soft) >> PUBKEY:ANY >> PUBKEY:ANY >> PUBKEY:RSA >> PUBKEY:RSA >> PUBKEY:ECDSA (not loaded) >> PUBKEY:ECDSA >> PUBKEY:DSA (not loaded) >> PUBKEY:DSA >> CERT_DECODE:ANY >> CERT_DECODE:X509 (soft) >> CERT_DECODE:PGP (soft) >> CERT_DECODE:X509 >> CERT_DECODE:X509 >> CERT_DECODE:X509_CRL >> CERT_DECODE:X509_CRL >> CERT_DECODE:X509_OCSP_REQUEST (not loaded) >> CERT_DECODE:X509_OCSP_REQUEST >> CERT_DECODE:X509_OCSP_RESPONSE >> CERT_DECODE:X509_OCSP_RESPONSE >> CERT_DECODE:X509_AC >> CERT_DECODE:X509_AC >> CERT_DECODE:PKCS10_REQUEST >> CERT_DECODE:PKCS10_REQUEST >> CERT_DECODE:TRUSTED_PUBKEY >> CERT_DECODE:TRUSTED_PUBKEY >> CERT_DECODE:PGP >> CERT_DECODE:PGP >> CONTAINER_DECODE:PKCS12 (not loaded) >> CONTAINER_DECODE:PKCS12 >> af-alg: >> CRYPTER:DES_CBC-8 >> CRYPTER:DES_ECB-8 >> CRYPTER:3DES_CBC-24 >> CRYPTER:AES_CBC-16 >> CRYPTER:AES_CBC-24 >> CRYPTER:AES_CBC-32 >> CRYPTER:TWOFISH_CBC-16 >> CRYPTER:TWOFISH_CBC-24 >> CRYPTER:TWOFISH_CBC-32 >> fips-prf: >> PRF:PRF_FIPS_SHA1_160 >> PRF:PRF_KEYED_SHA1 >> gmp: >> DH:MODP_2048 >> RNG:RNG_STRONG >> DH:MODP_2048_224 >> RNG:RNG_STRONG >> DH:MODP_2048_256 >> RNG:RNG_STRONG >> DH:MODP_1536 >> RNG:RNG_STRONG >> DH:MODP_3072 >> RNG:RNG_STRONG >> DH:MODP_4096 >> RNG:RNG_STRONG >> DH:MODP_6144 >> RNG:RNG_STRONG >> DH:MODP_8192 >> RNG:RNG_STRONG >> DH:MODP_1024 >> RNG:RNG_STRONG >> DH:MODP_1024_160 >> RNG:RNG_STRONG >> DH:MODP_768 >> RNG:RNG_STRONG >> DH:MODP_CUSTOM >> RNG:RNG_STRONG >> PRIVKEY:RSA >> PRIVKEY_GEN:RSA >> RNG:RNG_TRUE >> PUBKEY:RSA >> PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL >> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1 >> HASHER:HASH_SHA1 >> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224 >> HASHER:HASH_SHA224 >> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256 >> HASHER:HASH_SHA256 >> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384 >> HASHER:HASH_SHA384 >> PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512 >> HASHER:HASH_SHA512 >> PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5 >> HASHER:HASH_MD5 >> PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL >> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1 >> HASHER:HASH_SHA1 >> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224 >> HASHER:HASH_SHA224 >> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 >> HASHER:HASH_SHA256 >> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 >> HASHER:HASH_SHA384 >> PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512 >> HASHER:HASH_SHA512 >> PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5 >> HASHER:HASH_MD5 >> PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1 >> PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1 >> RNG:RNG_WEAK >> cmac: >> PRF:PRF_AES128_CMAC >> CRYPTER:AES_CBC-16 >> SIGNER:AES_CMAC_96 >> CRYPTER:AES_CBC-16 >> hmac: >> PRF:PRF_HMAC_SHA1 >> HASHER:HASH_SHA1 >> PRF:PRF_HMAC_MD5 >> HASHER:HASH_MD5 >> PRF:PRF_HMAC_SHA2_256 >> HASHER:HASH_SHA256 >> PRF:PRF_HMAC_SHA2_384 >> HASHER:HASH_SHA384 >> PRF:PRF_HMAC_SHA2_512 >> HASHER:HASH_SHA512 >> SIGNER:HMAC_SHA1_96 >> HASHER:HASH_SHA1 >> SIGNER:HMAC_SHA1_128 >> HASHER:HASH_SHA1 >> SIGNER:HMAC_SHA1_160 >> HASHER:HASH_SHA1 >> SIGNER:HMAC_MD5_96 >> HASHER:HASH_MD5 >> SIGNER:HMAC_MD5_128 >> HASHER:HASH_MD5 >> SIGNER:HMAC_SHA2_256_128 >> HASHER:HASH_SHA256 >> SIGNER:HMAC_SHA2_256_256 >> HASHER:HASH_SHA256 >> SIGNER:HMAC_SHA2_384_192 >> HASHER:HASH_SHA384 >> SIGNER:HMAC_SHA2_384_384 >> HASHER:HASH_SHA384 >> SIGNER:HMAC_SHA2_512_256 >> HASHER:HASH_SHA512 >> SIGNER:HMAC_SHA2_512_512 >> HASHER:HASH_SHA512 >> attr: >> CUSTOM:attr >> kernel-libipsec: >> CUSTOM:kernel-ipsec >> CUSTOM:kernel-libipsec-router >> CUSTOM:libcharon-receiver >> kernel-netlink: >> CUSTOM:kernel-ipsec >> CUSTOM:kernel-net >> resolve: >> CUSTOM:resolve >> socket-default: >> CUSTOM:socket >> CUSTOM:kernel-ipsec (soft) >> stroke: >> CUSTOM:stroke >> PRIVKEY:RSA (soft) >> PRIVKEY:ECDSA (soft) >> PRIVKEY:DSA (soft) >> CERT_DECODE:ANY (soft) >> CERT_DECODE:X509 (soft) >> CERT_DECODE:X509_CRL (soft) >> CERT_DECODE:X509_AC (soft) >> CERT_DECODE:TRUSTED_PUBKEY (soft) >> updown: >> CUSTOM:updown >> eap-identity: >> EAP_SERVER:ID >> EAP_CLIENT:ID >> eap-md5: >> EAP_SERVER:MD5 >> HASHER:HASH_MD5 >> RNG:RNG_WEAK >> EAP_CLIENT:MD5 >> HASHER:HASH_MD5 >> RNG:RNG_WEAK >> xauth-generic: >> XAUTH_SERVER:generic >> XAUTH_CLIENT:generic >> xauth-eap: >> XAUTH_SERVER:eap >> >> # cat /etc/ipsec.conf >> # ipsec.conf - strongSwan IPsec configuration file >> config setup >> charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl >> 1 dmn 1" >> >> conn home >> left=10.x.x.x >> [email protected] >> leftauth=eap-md5 >> rightauth=psk >> leftsourceip=%config >> leftfirewall=yes >> ike=3des-sha1-prfsha1-modp1024! >> esp=aes128-sha1! >> right=10.x.x.x >> rightsubnet=0.0.0.0/0 >> rightid=%any >> auto=add >> mobike=no >> dpddelay=200s >> dpdaction=clear >> rekey=yes >> ikelifetime=86400 >> lifetime=36000 >> reauth=no >> rekeymargin=3m >> keyingtries=1 >> keyexchange=ikev2 >> >> cat /etc/strongswan.conf >> # strongswan.conf - strongSwan configuration file >> >> charon { >> >> # number of worker threads in charon >> threads = 16 >> >> close_ike_on_child_failure = yes >> retransmit_tries = 20 >> retransmit_timeout = 20 >> retransmit_base = 1 >> >> keep_alive = 20s >> # send strongswan vendor ID? >> # send_vendor_id = yes >> >> plugins { >> >> sql { >> # loglevel to log into sql database >> loglevel = -1 >> # URI to the database >> # database = sqlite:///path/to/file.db >> # database = mysql://user:password@localhost >> /database >> } >> resolve{ >> file = /etc/resolvtunnel.conf >> } >> kernel-netlink { >> fwmark = !0x42 >> } >> socket-default { >> fwmark = 0x42 >> } >> kernel-libipsec { >> allow_peer_ts = yes >> } >> } >> >> >> Let me know if this is an existing issue.. Please let me know if any >> further information is required. >> >> Regards, >> Sriram. >> >> >> >>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
