Date: Thu, 12 Dec 2019 16:09:30 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 242606] Low capacity of Variable "IPSEC_MANUAL_REQID_MAX" crashes StrongSwan IPSec/IKEV2 VPN Server Message-ID: <bug-242606-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242606 Bug ID: 242606 Summary: Low capacity of Variable "IPSEC_MANUAL_REQID_MAX" crashes StrongSwan IPSec/IKEV2 VPN Server Product: Base System Version: 11.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: geovaneg@mprs.mp.br Hi, We have a IPSec/IKEV2 Server running in PFSense 2.4.4-RELEASE-p3 (amd64). The VPN server serves an average of 40 concurrent mobile clients. Each phase 1 tunnel created has three phase 2 tunnels. When the "reqid" variable reaches the value "16384", the "trap not found" e= rror logged in the logs below occurs and users can connect but cannot traffic ov= er the VPN. In my environment this value is reached approximately every 30 days. To resolve the issue, I need to stop the VPN service and start it again for= the variable to be reset. Logs samples: Aug 18 20:12:10 vpn2 charon: 02[KNL] creating acquire job for policy serverIP/32|/0 =3D=3D=3D clientIP/32|/0 with reqid {16384} Aug 18 20:12:10 vpn2 charon: 13[CFG] trap not found, unable to acquire reqid 16384 Dec 11 11:34:34 vpn2 charon: 14[KNL] creating acquire job for policy serverIP/32|/0 =3D=3D=3D clientIP/32|/0 with reqid {16384} Dec 11 11:34:34 vpn2 charon: 01[CFG] trap not found, unable to acquire reqid 16384 Strongswan developer response: That because of IPSEC_MANUAL_REQID_MAX (0x3fff =3D=3D 16383), file "include/uapi/linux/ipsec.h". Which is a strangely low limit (at least for keying daemons like strongSwan that manage reqids themselves) since reqids = are 32-bit numbers. reqids are currently allocated sequentially using a sttic counter (source:src/libcharon/kernel/kernel_interface.c#L328). The code that alloca= tes them does not know anything about the limit above (it doesn't even know or = care that it runs on a FreeBSD kernel). My report: https://forum.netgate.com/topic/148857/ipsec-ikev2-error-trap-not-found-una= ble-to-acquire-reqid Others reports: https://wiki.strongswan.org/issues/2315 https://lists.strongswan.org/pipermail/dev/2018-August/001929.html --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-242606-227>