[Swan] Libreswan 3.15- Any Limit on number of Tunnel Connections

Paul Wouters paul at nohats.ca
Wed Aug 9 03:46:53 UTC 2017 

On Sun, 23 Jul 2017, Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES LIMITED at Cisco) wrote:

> I am using Libreswan 3.15 in CentOS 6.8 running on VM.  Same version of Libreswan is used in the peer.

> Please clarify the following queries-
> 
> 1)   Observing that when the disk space nears 90% or more, any of the ipsec commands seems to hang and does not get completed. I observed that pluto log file (/var/lib/pluto.log)
> occupied several Gigs. Any attempt to zero size this log file or reduce its size by removing few thousands lines of accumulated past logs does not resolve the issue.  This issue got
> resolved after rebooting the VM.
> 
> Could someone clarity if there is an alternate way to resolve this issue ?

you can use logging with syslog and it can properly logrotate. Using
logfile= (or plutostderrlog=) leads to a file that has to be truncated
manually (and really requires a restart of the daemon).

Later versions have reduced a lot of logging. Also, do not run with
plutodebug= at all - it should not be needed for normal operation.

We are looking at adding another alternative for logging via dbus, which
would also move the responsibility of taking the logs and processing
them to another processor.

> 2)   In the current scenario, a single tunnel is setup between the two peers with multiple ipsec configuration files created to connect to many simulated (virtual) devices across this
> Tunnel. Somehow – It appears that many connections is not getting established across this tunnel at a given time. Only limited numbers of connections succeed and the message “Cannot
> communicate through IPSec Tunnel” is observed at the peer end for the remaining devices.
> 
> Is there any limitation in the number of connections that can pass across this tunnel?

There should not be any limitations. Although you might be running low
on entropy if setting up hunderds of connections between two peers.
Consider running jitterentropy-rngd or havegd on the hosts.

> 3)   Could someone please share the ipsec configuration file when multihomed IPs are involved for connecting to many simulated (virtual) devices?

Note that if you just change leftsubnet/rightsubnet, that you will be
using a shared IKE SA and not really simulating many clients. To do
that properly, it is best to use unique leftid/rightid and left/right
IP addresses.

Paul

More information about the Swan mailing list