Bug #2313: 5.5.2 client fails to connect after 256 connections using freebsd 11 - strongSwan

Bug #2313

5.5.2 client fails to connect after 256 connections using freebsd 11

Added by Mike E about 2 years ago. Updated about 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

freebsd

Target version:

5.5.3

Start date:

Due date:

Estimated time:

Affected version:

5.5.2

Resolution:

Fixed

Description

FreeBSD Strongswan client fails to connect after 256 ipsec up/ipsec down commands.

Using latest version from ports (5.5.2) on

# uname -a
FreeBSD strongswan2 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 #0: Tue Apr 11 08:48:40 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

ifconfig.txt (633 Bytes) ifconfig.txt	ifconfig output	Mike E, 02.05.2017 14:00
ipsec_server.conf (402 Bytes) ipsec_server.conf	ipsec.conf from the server side	Mike E, 02.05.2017 14:00
netstat.txt (962 Bytes) netstat.txt	netstat from client after failed connect	Mike E, 02.05.2017 14:00
ipsec_statusall.txt (938 Bytes) ipsec_statusall.txt	ipsec statusall from client	Mike E, 02.05.2017 14:00
ipsec.conf (852 Bytes) ipsec.conf	clientside ipsec.conf	Mike E, 02.05.2017 14:00
uname.txt (168 Bytes) uname.txt	uname -a	Mike E, 02.05.2017 14:00
debug.log (26.2 KB) debug.log	kernel debug messages	Mike E, 02.05.2017 14:00
messages (96.6 KB) messages		Mike E, 02.05.2017 14:00
charon_debug.log (3.39 MB) charon_debug.log		Mike E, 02.05.2017 14:00

Associated revisions

Revision 59e6e933 (diff)
Added by Tobias Brunner about 2 years ago

tun-device: Use next free TUN device on FreeBSD

While this API is documented as legacy (and there is a sysctl option to
disable it) the documentation also mentions that it will probably stay
enabled by default due to compatibility issues with existing applications.

With the previous approach only 255 devices could be opened then the
daemon had to be restarted.

Fixes #2313.

History

#1 Updated by Tobias Brunner about 2 years ago

Status changed from New to Feedback

Yep: source:src/libstrongswan/networking/tun_device.c#L486.

#2 Updated by Mike E about 2 years ago

Hi Tobias,

The freebsd tun driver has the ability to return the lowest unused tun device by opening "/dev/tun" (since 5.0-RELEASE). Wouldn't this be the preferred method for creating a tun device?

https://www.freebsd.org/cgi/man.cgi?query=tun&apropos=0&sektion=4&manpath=FreeBSD+11.0-RELEASE+and+Ports&arch=default&format=html

#3 Updated by Tobias Brunner about 2 years ago

Tracker changed from Issue to Bug

I think I didn't use that because it's documented as legacy feature. But I guess the following means it's unlikely it will disappear:

Disabling the legacy devfs cloning functionality may break existing
applications which use tun, such as ppp(8) and ssh(1). It therefore
defaults to being enabled until further notice.

If you like you can try the patch in the 2313-freebsd-tun branch.

#4 Updated by Mike E about 2 years ago

Works great, thanks!

#5 Updated by Tobias Brunner about 2 years ago

Target version set to 5.5.3

#6 Updated by Tobias Brunner about 2 years ago

Status changed from Feedback to Closed
Assignee set to Tobias Brunner
Resolution set to Fixed

Also available in: Atom PDF

Project

General

Profile

strongSwan

Issues

New issues