[Openswan Users] crippling memory leak in openswan 2.4.4 - 2.4.7 on kernel 2.4.32, 2.4.34

Brad Langhorst brad at langhorst.com
Sat Oct 6 14:46:36 EDT 2007 

I've just downgraded my router from 2.4.7 to 2.4.4 because of a BIG
memory leak.

here's the original thread
http://lists.openswan.org/pipermail/users/2007-May/012387.html

Unfortunately, this downgrade didn't help at all.

I've been struggling with this for months, rebooting daily because of
100+ M of memory leakage.

I wonder if there is something strange in my configuration that's
causing me to see this bug when not many other people seem to.  Maybe
nobody's using 2.4 kernel anymore?  I doubt it matters, but the leaking
machine is connected to a fast fiber optic network (FIOS).

It's a simple point to point vpn, both sides are now running exactly the
same software.

One side (mcgruff) leaks memory into the skbuff_head_cache.
The other side (cujo) has no noticeable memory leak.

I'm attaching barfs from both sides...

Am i doing something wrong?

here's mcgruff's config.

 # /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from
below:
        # "raw crypt parsing emitting control klips pfkey natt x509
private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16,%v4:!192.168.3.0/24

conn cm-homeoffice
        right=vpn.coopmetrics.coop
        rightsubnet=192.168.3.0/24
        rightid="C=US, ST=NH, L=Manchester, O=Coopmetrics, OU=VPN
Server, CN=vpn.coopmetrics.coop"
        left=%defaultroute
        #left=192.168.0.2
        #leftnexthop=192.168.0.1
        leftsubnet=192.168.0.0/24
        leftcert=mcgruff_cert.pem
        leftsendcert=always
        rightsendcert=yes
        auto=start
        pfs=yes

# sample VPN connection
#conn sample
#               # Left security gateway, subnet behind it, nexthop
toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop
toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start
it, 
#               # at startup, uncomment this.
#               #auto=start

#Disable Opportunistic Encryption
conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

More information about the Users mailing list