[Bug 242606] Low capacity of Variable "IPSEC_MANUAL_REQID_MAX" crashes StrongSwan IPSec/IKEV2 VPN Server

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Dec 12 16:09:30 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242606

            Bug ID: 242606
           Summary: Low capacity of Variable "IPSEC_MANUAL_REQID_MAX"
                    crashes StrongSwan IPSec/IKEV2 VPN Server
           Product: Base System
           Version: 11.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: geovaneg at mprs.mp.br

Hi,

We have a IPSec/IKEV2 Server running in PFSense 2.4.4-RELEASE-p3 (amd64).
The VPN server serves an average of 40 concurrent mobile clients.
Each phase 1 tunnel created has three phase 2 tunnels.
When the "reqid" variable reaches the value "16384", the "trap not found" error
logged in the logs below occurs and users can connect but cannot traffic over
the VPN.
In my environment this value is reached approximately every 30 days.
To resolve the issue, I need to stop the VPN service and start it again for the
variable to be reset.

Logs samples:

Aug 18 20:12:10 vpn2 charon: 02[KNL] creating acquire job for policy
serverIP/32|/0 === clientIP/32|/0 with reqid {16384}
Aug 18 20:12:10 vpn2 charon: 13[CFG] trap not found, unable to acquire reqid
16384

Dec 11 11:34:34 vpn2 charon: 14[KNL] creating acquire job for policy
serverIP/32|/0 === clientIP/32|/0 with reqid {16384}
Dec 11 11:34:34 vpn2 charon: 01[CFG] trap not found, unable to acquire reqid
16384

Strongswan developer response:

That because of IPSEC_MANUAL_REQID_MAX (0x3fff == 16383), file
"include/uapi/linux/ipsec.h". Which is a strangely low limit (at least for
keying daemons like strongSwan that manage reqids themselves) since reqids are
32-bit numbers.

reqids are currently allocated sequentially using a sttic counter
(source:src/libcharon/kernel/kernel_interface.c#L328). The code that allocates
them does not know anything about the limit above (it doesn't even know or care
that it runs on a FreeBSD kernel).

My report:
https://forum.netgate.com/topic/148857/ipsec-ikev2-error-trap-not-found-unable-to-acquire-reqid

Others reports:

https://wiki.strongswan.org/issues/2315
https://lists.strongswan.org/pipermail/dev/2018-August/001929.html

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list