#22 many connections, anycast-listen and 1024

racoon
closed
nobody
5
2009-01-16
2005-09-23
david
No

Hello,

i have some problems using racoon with many different
secure connections.
It is a quite-uncommon problem.
I use 2 linux machines (Suse Linux 9.2, patch to kernel
2.6.12.3).
Machine A is a "server" and have the ip address
10.0.0.1.
Machine B (main ip address 10.0.0.2) should simulate
different clients,
and got for all client an ip address. I use a script to add
all ip
addresses betwen 10.1.1.1 and 10.1.254.254.

Now I have 2 C-programs on both machines. The
program on the client
(machine B) now bind a port to 10.1.1.1 and connect to
10.0.0.1, send
something, receive something and hold the connection.
At next the client
bind on a second port the ip address 10.1.1.2 and
connect to the server
10.0.0.1..... After all I have between both machines
65.000 connections
from all ip addresses to 10.0.0.1. To reach this I had to
set some kernel
parameters (/proc), to make this work.

The next step is to secure these connections. I use
racoon for IKE.
(version 0.5.2, 0.6+ don't work, don't know why)
For every ip address racoon now wants to open a socket
with port 500.
This don't work, after 1024 you get an error message. In
racoon the
function select() is used to check the sockets, if they
have data or not.
The array fd_set has a maximum size of 1024
(FD_SETSIZE). In my C-program
i got the same problems, so I use the function poll()
instead and I can
define the array (and the size of it) self.
So I had to do another way. On the listen-parameter
(racoon.conf) I set
only one socket to 0.0.0.0[500] (Anycast). If I start
racoon I get a
warning ("listening to wildcard address, broadcast IKE
packet may kill
you"), but it works.

The config-files for both machines are:

Machine A - the "server" with one IP address
#racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/cert";

listen
{
isakmp 10.0.0.1[500];
isakmp fec0::8000:0:0:1[500];
strict_address;
}

remote anonymous
{
exchange_mode main;
initial_contact off;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}

sainfo anonymous
{
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}

# setkey.conf
# First of all flush the SPD database
flush;
spdflush;

# Add some SPD rules
# Very likely you'll want to replace these rules with your
own ones
spdadd 10.1.0.0/16 10.0.0.1 any -P in ipsec
esp/transport//require ah/transport//require;
spdadd 10.0.0.1 10.1.0.0/16 any -P out ipsec
esp/transport//require ah/transport//require;

spdadd 10.0.0.2 10.0.0.1 any -P in ipsec
esp/transport//require ah/transport//require;
spdadd 10.0.0.1 10.0.0.2 any -P out ipsec
esp/transport//require ah/transport//require;

Machine B - the clients with 65.000 IP addresses
#racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/cert";

listen
{
isakmp 0.0.0.0[500];
# isakmp ::[500];
strict_address;
}

remote anonymous
{
exchange_mode main;
initial_contact off;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}

sainfo anonymous
{
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 60 sec;
phase2 30 sec;
}

#log debug;

# setkey.conf
# First of all flush the SPD database
flush;
spdflush;

# Add some SPD rules
# Very likely you'll want to replace these rules with your
own ones
spdadd 10.1.0.0/16 10.0.0.1 any -P out ipsec
esp/transport//require ah/transport//require;
spdadd 10.0.0.1 10.1.0.0/16 any -P in ipsec
esp/transport//require ah/transport//require;

spdadd 10.0.0.2 10.0.0.1 any -P out ipsec
esp/transport//require ah/transport//require;
spdadd 10.0.0.1 10.0.0.2 any -P in ipsec
esp/transport//require ah/transport//require;

If my program set up a connection, it get an error on the
first try (ok),
but racoon start to exchange the keys (IKE). On the
second try the socket
will connect and I can send/receive encrypted data. Now
can my program
set up the next connection with the next ip address, and
so on.
But after 1024 secured connections it "crashs". My
program get even on
the second connect()-try an error - "No Buffer space is
available". My
program try to connect from the next ip addresses (first
try), and racoon
make IKE, but all sockets above 1024 get on he second
(and third, and...)
No Buffer space is available.
If I change the rules of setkey to only one security (not
ah AND esp,
only ah OR ESP), I get the failure after 2048
connections. Racoon don't
give some error messages (also not with debug mode),
but I cant close it
with Control+C and I had to stop it by external "rcracoon
stop".
This is my first problem. Is there a way to make it work
with many secure
connections? Or am I the first with this horrible
requirements?

I try to use a newer version of racoon (0.6, 0.6.1), but it
seems to
don't work with my listen-parameter to 0.0.0.0. Racoon
don't react, if
machine B wants to set up a connection from 10.1.1.1
to 10.0.0.1.
If I ping from machine A from 10.0.0.1 to 10.1.1.1 racoon
starts to make
IKE between this ip addresses and after that my
program can set up this
connection "from the other side".

My second problem is the duration of IKE. My program
had to wait about 3
seconds after the connection 10.1.1.1->10.0.0.1 (racoon
make IKE), to set
up the next from 10.1.1.2. Racoon can't make IKE
parallel, even if I
change one anycast-listen to more listen-ip-addresses.
Is there a way to change this?

If you miss some informations or don't understand the
problem exactly,
say what you need.

Thanks in advance.

Discussion

  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

     
  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks