[Bug 242606] Low capacity of Variable "IPSEC_MANUAL_REQID_MAX" crashes StrongSwan IPSec/IKEV2 VPN Server

Thu, 12 Dec 2019 08:09:52 -0800 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242606

            Bug ID: 242606
           Summary: Low capacity of Variable "IPSEC_MANUAL_REQID_MAX"
                    crashes StrongSwan IPSec/IKEV2 VPN Server
           Product: Base System
           Version: 11.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: b...@freebsd.org
          Reporter: geova...@mprs.mp.br

Hi,

We have a IPSec/IKEV2 Server running in PFSense 2.4.4-RELEASE-p3 (amd64).
The VPN server serves an average of 40 concurrent mobile clients.
Each phase 1 tunnel created has three phase 2 tunnels.
When the "reqid" variable reaches the value "16384", the "trap not found" error
logged in the logs below occurs and users can connect but cannot traffic over
the VPN.
In my environment this value is reached approximately every 30 days.
To resolve the issue, I need to stop the VPN service and start it again for the
variable to be reset.

Logs samples:

Aug 18 20:12:10 vpn2 charon: 02[KNL] creating acquire job for policy
serverIP/32|/0 === clientIP/32|/0 with reqid {16384}
Aug 18 20:12:10 vpn2 charon: 13[CFG] trap not found, unable to acquire reqid
16384

Dec 11 11:34:34 vpn2 charon: 14[KNL] creating acquire job for policy
serverIP/32|/0 === clientIP/32|/0 with reqid {16384}
Dec 11 11:34:34 vpn2 charon: 01[CFG] trap not found, unable to acquire reqid
16384

Strongswan developer response:

That because of IPSEC_MANUAL_REQID_MAX (0x3fff == 16383), file
"include/uapi/linux/ipsec.h". Which is a strangely low limit (at least for
keying daemons like strongSwan that manage reqids themselves) since reqids are
32-bit numbers.

reqids are currently allocated sequentially using a sttic counter
(source:src/libcharon/kernel/kernel_interface.c#L328). The code that allocates
them does not know anything about the limit above (it doesn't even know or care
that it runs on a FreeBSD kernel).

My report:
https://forum.netgate.com/topic/148857/ipsec-ikev2-error-trap-not-found-unable-to-acquire-reqid

Others reports:

https://wiki.strongswan.org/issues/2315
https://lists.strongswan.org/pipermail/dev/2018-August/001929.html

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to