[Openswan Users] keeping SA made OCF resource leak

willer.wang at cybertan.com.tw willer.wang at cybertan.com.tw
Tue Jul 21 22:15:56 EDT 2009

Thanks for your reply, please see my description below.

1. I use OPENSWAN 2.6.20 and 2.6.22 to trigger chip vendor HW acceleration agent through OCF. This HW agent will allocate memory resource until ipsec_ocf_sa_free( ) ask it to free resource.

2. Establish a tunnel, set the ipsec_lifetime=60s. When the IPSEC SA renew, the old inbound SA will asking the HW agent to free memory through function ipsec_ocf_sa_free( ) , and this SA will also be freed. But the old outbound SA still kept
In the SA's linklist, and never ask ipsec_ocf_sa_free( ) to free hw agent resource. With time goes, the HW agent can't take care any new SA and all tunnel will be disconnected.

3. I don't know what's the purpose of OPENSWAN keeps all old outbound SAs all the time. Preventing to rebuild a same SA? 


-----Original Message-----
From: David McCullough [mailto:David_Mccullough at securecomputing.com] 
Sent: Wednesday, July 22, 2009 6:47 AM
To: Willer Wang 王明偉 (52216)
Cc: users at openswan.org
Subject: Re: [Openswan Users] keeping SA made OCF resource leak

Jivin willer.wang at cybertan.com.tw lays it down ...
> I found a problem between re SA and OCF.
> When SA replaced, OPENSWAN will keep one more SA than it freed.
> With time goes, there will be lots SAs kept in OPENSWAN.
> It’s ok if OCF is not up.
> But if we using OPENSWAN with OCF, 
> the kept SAs will occupy system resource through OCF. 
> It seems not easy to modify the state machine of re SA.
> Would someone give me advice about this problem?

Which versions of OCF and openswan are you using ?

I can't say I have seen this but I may looking in the wrong place :-)
How are you determining that you are losing SA's ?


David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org


This e-mail transmission originated at CyberTAN Technology, Inc., and may contain privileged or
confidential information that is the property of CyberTAN and protected by law from disclosure.
If you are not an intended recipient of this transmission and you received it in error,
please inform the sender by reply e-mail and destroy this and all other copies of this transmission
to which you have access. Thank you.

More information about the Users mailing list