[Bug 242606] Low capacity of Variable "IPSEC_MANUAL_REQID_MAX" crashes StrongSwan IPSec/IKEV2 VPN Server
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Dec 12 16:09:30 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242606
Bug ID: 242606
Summary: Low capacity of Variable "IPSEC_MANUAL_REQID_MAX"
crashes StrongSwan IPSec/IKEV2 VPN Server
Product: Base System
Version: 11.2-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: geovaneg at mprs.mp.br
Hi,
We have a IPSec/IKEV2 Server running in PFSense 2.4.4-RELEASE-p3 (amd64).
The VPN server serves an average of 40 concurrent mobile clients.
Each phase 1 tunnel created has three phase 2 tunnels.
When the "reqid" variable reaches the value "16384", the "trap not found" error
logged in the logs below occurs and users can connect but cannot traffic over
the VPN.
In my environment this value is reached approximately every 30 days.
To resolve the issue, I need to stop the VPN service and start it again for the
variable to be reset.
Logs samples:
Aug 18 20:12:10 vpn2 charon: 02[KNL] creating acquire job for policy
serverIP/32|/0 === clientIP/32|/0 with reqid {16384}
Aug 18 20:12:10 vpn2 charon: 13[CFG] trap not found, unable to acquire reqid
16384
Dec 11 11:34:34 vpn2 charon: 14[KNL] creating acquire job for policy
serverIP/32|/0 === clientIP/32|/0 with reqid {16384}
Dec 11 11:34:34 vpn2 charon: 01[CFG] trap not found, unable to acquire reqid
16384
Strongswan developer response:
That because of IPSEC_MANUAL_REQID_MAX (0x3fff == 16383), file
"include/uapi/linux/ipsec.h". Which is a strangely low limit (at least for
keying daemons like strongSwan that manage reqids themselves) since reqids are
32-bit numbers.
reqids are currently allocated sequentially using a sttic counter
(source:src/libcharon/kernel/kernel_interface.c#L328). The code that allocates
them does not know anything about the limit above (it doesn't even know or care
that it runs on a FreeBSD kernel).
My report:
https://forum.netgate.com/topic/148857/ipsec-ikev2-error-trap-not-found-unable-to-acquire-reqid
Others reports:
https://wiki.strongswan.org/issues/2315
https://lists.strongswan.org/pipermail/dev/2018-August/001929.html
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list