Issue #1106

Updated by Tobias Brunner over 4 years ago

This box has one IPsec Tunnel, but i have a box that has 100 tunnels that runs out of 2gb of memory and swap space after about 3 days.(The box crashes due to no swap) I have searched everywhere and can't find a issue with my configuration. If i kill Charon and load it again it will gradually eat up memory. Reboot, Fresh Install, nothing stops it from eating memory.

ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.1-RELEASE-p15, amd64):
uptime: 44 days, since Jul 27 13:24:48 2015
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
Listening IP addresses:
bypasslan: %any...%any IKEv1/2
bypasslan: local: uses public key authentication
bypasslan: remote: uses public key authentication
bypasslan: child: X.X.X.X/X|/0 === X.X.X.X/X|/0 PASS
con1: X.X.X.X...X.X.X.X IKEv2, dpddelay=10s
con1: local: [X.X.X.X] uses pre-shared key authentication
con1: remote: [X.X.X.X] uses pre-shared key authentication
con1: child: X.X.X.X/X|/0 === X.X.X.X/X|/0 X.X.X.X/X|/0 TUNNEL, dpdaction=restart
Shunted Connections:
bypasslan: X.X.X.X/X|/0 === X.X.X.X/X|/0 PASS
Routed Connections:
con1{2233}: ROUTED, TUNNEL, reqid 1
con1{2233}: X.X.X.X/X|/0 === X.X.X.X/X|/0 X.X.X.X/X|/0
Security Associations (1 up, 0 connecting):
con1[188]: ESTABLISHED 3 hours ago, X.X.X.X[X.X.X.X]...X.X.X.X[X.X.X.X]
con1[188]: IKEv2 SPIs: 634c4b09653e75f6_i 3f096e7e6e227d29_r*, pre-shared key reauthentication in 4 hours
con1[188]: IKE proposal: AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
con1{2232}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c42e8a95_i c67e08b4_o
con1{2232}: AES_CBC_256/HMAC_MD5_96, 597807 bytes_i (7711 pkts, 0s ago), 10543976 bytes_o (9315 pkts, 1161s ago), rekeying in 17 minutes
con1{2232}: X.X.X.X/X|/0 === X.X.X.X/X|/0 X.X.X.X/X|/0
con1{2234}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7e77372_i ced2ce23_o
con1{2234}: AES_CBC_256/HMAC_MD5_96, 255838 bytes_i (3165 pkts, 0s ago), 1549768 bytes_o (3179 pkts, 0s ago), rekeying in 34 minutes
con1{2234}: X.X.X.X/X|/0 === X.X.X.X/X|/0 X.X.X.X/X|/0

/var/etc/ipsec: top | grep charon
35874 root 17 20 0 497M 297M uwait 1 5:21 0.00% charon