[Openswan Users] pluto causes system out of memory when interop with fortigate.

Jason Sigurdur jason.sigurdur at aspenview.org
Tue Sep 7 14:15:04 EDT 2010 

Still having problems with openswan consuming all free memory after 2-3 days. Below are more configurations  from both devices.

jason

ipsec.conf

conn ipsec710
        left=192.168.7.1
        leftnexthop=192.168.7.254
        right=192.168.10.5
        rightnexthop=192.168.10.254
        esp=aes128-sha1;modp1536
        ike=aes128-sha1;modp2048


ipsec710": 192.168.7.1<192.168.7.1>[+S=C]---192.168.7.254...192.168.10.254---192.168.10.5<192.168.10.5>[+S=C]; erouted; eroute owner: #5147
000 "ipsec710":     myip=unset; hisip=unset;
000 "ipsec710":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ipsec710":   policy: PSK+ENCRYPT+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth1;
000 "ipsec710":   newest ISAKMP SA: #5146; newest IPsec SA: #5147;
000 "ipsec710":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14); flags=-strict
000 "ipsec710":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP2048(14)
000 "ipsec710":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "ipsec710":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1536(5); flags=-strict
000 "ipsec710":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "ipsec710":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536









>From the fortigate 80c.

name=ipsec710 ver=1 serial=2 192.168.10.5:0->192.168.7.1:0 lgwy=dyn tun=intf mode=auto bound_if=4
proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=0
stat: rxp=35045 txp=31257 rxb=7790952 txb=7488599
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=67573
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ipsec710_2 proto=0 sa=1 ref=2 auto_negotiate=1 serial=1 transport-mode
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA: ref=3 options=00000025 type=00 soft=0 mtu=1432 expire=3173 replaywin=0 seqno=1ae
  life: type=01 bytes=0/0 timeout=3573/3600
  dec: spi=9d7a74cc esp=aes key=16 abc9ac02f8f8bbd6f230d3f271c5a4b0
       ah=sha1 key=20 8874f94664d1f603f547616b72f038bc99829d7e
  enc: spi=770e24a0 esp=aes key=16 a681edef09ae065f81ecbe0c2754e998
       ah=sha1 key=20 686e36d4f616faba03fcab54b8f6c7912346ad35





config vpn ipsec phase1-interface
    edit "ipsec710"
        set interface "wan1"
        set nattraversal disable
        set dhgrp 14
        set proposal aes128-sha1
        set remote-gw 192.168.7.1
        set psksecret ENC Averylongstring
    next


config vpn ipsec phase2-interface
    edit "ipsec710_2"
        set auto-negotiate enable
        set encapsulation transport-mode
        set keepalive enable
        set phase1name "ipsec710"
        set proposal aes128-sha1
        set replay disable
        set keylifeseconds 3600
    next
end





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100907/7dda78b1/attachment.html

More information about the Users mailing list