Good morning All, I am facing an issue where the number of SAs keep on going up and then charon starts hogging the CPU. Will highly appreciate if anyone comment if I have misconfigured some parameter or if this is a known issue? Details below:
We are running Strongswan 5.9.5 on ppc64, Linux kernel 4.1.35. It is noted that after a rekey timeout, a new SA is created(ESTABLISHED/INSTALLED). This happens only with traffic. Over a period of time, the number of SAs keep on increasing and then charon hogs the CPU. Please find below the ipsec.conf that is being used and a log of my session showing the increasing number of SAs. ipsec.conf sh-4.3# cat /usr/local/etc/ipsec.conf config setup charondebug=@all@ cachecrls=yes uniqueids=yes strictcrlpolicy=no #####IS5##### conn policy1 type=tunnel authby=secret auto=route keyexchange=ikev2 ike=aes256-sha512-modp1536! aggressive=no ikelifetime=40m esp=aes256-sha256-modp2048! lifetime=20m right=172.16.100.101 rightid=172.16.100.101 rightsubnet=10.10.101.0/24 left=172.16.100.1 leftid=172.16.100.1 leftsubnet=192.168.101.0/24 dpddelay=60s mobike=no dpdaction=clear margintime=1m rekeyfuzz=0% leftcert= e.g. Tunnel is set up: sh-4.3# date Mon May 16 09:15:33 UTC 2022 sh-4.3# ipsec status policy1 Routed Connections: policy1{1}: ROUTED, TUNNEL, reqid 1 policy1{1}: 192.168.101.0/24 === 10.10.101.0/24 Security Associations (1 up, 0 connecting): policy1[1]: ESTABLISHED 22 seconds ago, 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101] policy1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4ee192d_i c18d1d43_o policy1{2}: 192.168.101.0/24 === 10.10.101.0/24 After some time: sh-4.3# ipsec statusall policy1 Status of IKE charon daemon (weakSwan 5.9.5, Linux 4.1.35-rt41, ppc64): uptime: 77 minutes, since May 16 09:15:14 2022 malloc: sbrk 2400256, mmap 0, used 354336, free 2045920 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default farp stroke vici updown xauth-generic counters Listening IP addresses: 10.10.5.1 192.168.101.11 192.168.10.1 192.168.50.2 172.16.100.1 Connections: policy1: 172.16.100.1...172.16.100.101 IKEv2, dpddelay=60s policy1: local: [172.16.100.1] uses pre-shared key authentication policy1: remote: [172.16.100.101] uses pre-shared key authentication policy1: child: 192.168.101.0/24 === 10.10.101.0/24 TUNNEL, dpdaction=clear Routed Connections: policy1{1}: ROUTED, TUNNEL, reqid 1 policy1{1}: 192.168.101.0/24 === 10.10.101.0/24 Security Associations (2 up, 0 connecting): policy1[2]: ESTABLISHED 38 minutes ago, 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101] policy1[2]: IKEv2 SPIs: 518b7019c5d03118_i* 74fe5d2949eaed95_r, pre-shared key reauthentication in 17 seconds policy1[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 policy1{13}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c9bab39c_i ca96f84a_o policy1{13}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 18 minutes policy1{13}: 192.168.101.0/24 === 10.10.101.0/24 policy1[3]: ESTABLISHED 38 minutes ago, 172.16.100.1[172.16.100.1]...172.16.100.101[172.16.100.101] policy1[3]: IKEv2 SPIs: 005c2ec500a6a55d_i c00aead9fa60759a_r*, pre-shared key reauthentication in 17 seconds policy1[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 policy1{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c5fabaf0_i c5dad3ed_o policy1{12}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 18 minutes policy1{12}: 192.168.101.0/24 === 10.10.101.0/24 Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website: www.iS5Com.com Confidentiality Notice: This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.