Project

General

Profile

Issue #1106

Updated by Tobias Brunner over 4 years ago

This box has one IPsec Tunnel, but i have a box that has 100 tunnels that runs out of 2gb of memory and swap space after about 3 days.(The box crashes due to no swap) I have searched everywhere and can't find a issue with my configuration. If i kill Charon and load it again it will gradually eat up memory. Reboot, Fresh Install, nothing stops it from eating memory.

<pre>
ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.1-RELEASE-p15, amd64):
uptime: 44 days, since Jul 27 13:24:48 2015
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
Listening IP addresses:
X.X.X.X
X.X.X.X
X.X.X.X
X.X.X.X
Connections:
bypasslan: %any...%any IKEv1/2
bypasslan: local: uses public key authentication
bypasslan: remote: uses public key authentication
bypasslan: child: X.X.X.X/X|/0 === X.X.X.X/X|/0 PASS
con1: X.X.X.X...X.X.X.X IKEv2, dpddelay=10s
con1: local: [X.X.X.X] uses pre-shared key authentication
con1: remote: [X.X.X.X] uses pre-shared key authentication
con1: child: X.X.X.X/X|/0 === X.X.X.X/X|/0 X.X.X.X/X|/0 TUNNEL, dpdaction=restart
Shunted Connections:
bypasslan: X.X.X.X/X|/0 === X.X.X.X/X|/0 PASS
Routed Connections:
con1{2233}: ROUTED, TUNNEL, reqid 1
con1{2233}: X.X.X.X/X|/0 === X.X.X.X/X|/0 X.X.X.X/X|/0
Security Associations (1 up, 0 connecting):
con1[188]: ESTABLISHED 3 hours ago, X.X.X.X[X.X.X.X]...X.X.X.X[X.X.X.X]
con1[188]: IKEv2 SPIs: 634c4b09653e75f6_i 3f096e7e6e227d29_r*, pre-shared key reauthentication in 4 hours
con1[188]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
con1{2232}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c42e8a95_i c67e08b4_o
con1{2232}: AES_CBC_256/HMAC_MD5_96, 597807 bytes_i (7711 pkts, 0s ago), 10543976 bytes_o (9315 pkts, 1161s ago), rekeying in 17 minutes
con1{2232}: X.X.X.X/X|/0 === X.X.X.X/X|/0 X.X.X.X/X|/0
con1{2234}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7e77372_i ced2ce23_o
con1{2234}: AES_CBC_256/HMAC_MD5_96, 255838 bytes_i (3165 pkts, 0s ago), 1549768 bytes_o (3179 pkts, 0s ago), rekeying in 34 minutes
con1{2234}: X.X.X.X/X|/0 === X.X.X.X/X|/0 X.X.X.X/X|/0
</pre>
<pre>


/var/etc/ipsec: top | grep charon
35874 root 17 20 0 497M 297M uwait 1 5:21 0.00% charon
</pre>

Back