From owner-freebsd-net@freebsd.org  Mon Feb 19 17:44:55 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CABA3F14AEA
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon, 19 Feb 2018 17:44:55 +0000 (UTC)
 (envelope-from kmisak@gmail.com)
Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com
 [IPv6:2607:f8b0:400d:c0d::234])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 607C18217B
 for <freebsd-net@freebsd.org>; Mon, 19 Feb 2018 17:44:55 +0000 (UTC)
 (envelope-from kmisak@gmail.com)
Received: by mail-qt0-x234.google.com with SMTP id g14so13210259qti.2
 for <freebsd-net@freebsd.org>; Mon, 19 Feb 2018 09:44:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=EyppjxLhrrqVW+01i8HJq7lpxNnllSC6NX2bcrJ6+Jo=;
 b=t3hWzjM9WlOKfe6+vYF0dGj9IT2fLDWvtM2wrRIJrUh4+uUzq1YWLx+u9gps5TEHNy
 cjYv+uimAq0WSZOHS1rF6lAhg0kXsal+BKc2Kb6UlyUQzWXjAiQhnJKN4DvNTXGz37za
 IYzNK0r9cG+NXbHCgZK20KMyn45biuZaG5c8maP9iSvjXnCj4uMBGNqCl40rdqjlSHLb
 VFy5pZQ1RA9S4r2XLRntDy62ZuhQ3Hrmhja8q7JnOX6z1b2Tue+OGzj+lbt8tCchCSnI
 UcX2zFg6pYSkLvUgpB9qjMeJlfWQU3PKnspXGWQSCKusph5dnlHLJL74zu/aJTFdIB2H
 vIog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=EyppjxLhrrqVW+01i8HJq7lpxNnllSC6NX2bcrJ6+Jo=;
 b=EQ5plOQaOBI7DAhl1TksjJOSl/yU3vqqayel28VmazJpQ+QlJnsP07SQuw8EGhuzTg
 eRZ10bMhnlXkwDD4lhOr14mrTz6524bh7/6qh8E6pH8txLutE3Td23ti8O/Q4d0FB6fP
 6p94PikJ3MJOQeKmO1tD0zPsL7bvrfOUZVpuE6DXAzfnNk0IUqolgOVPX9sAYlYbibUF
 AvSop5mMDL/cJ2DjRqJQubF9wwqlvB5crDnED80hi6RAQBqto9QgNX4uyBiRNlx4SCPk
 uYC+fB0ni18LvecRGN5ONlUcIcCtxAB4Nl6G7ss5ArWDNy49lCQM64PKNaupeyLIh4gp
 98/w==
X-Gm-Message-State: APf1xPBBp3S1pt57LNvhdPFr2ebuqv8mEeMkNyTXeToBcF4RLq/Sm3Wm
 9mmXgBbeWPpi/OsP4zNJ4HYOfsGkiRrRbjY3f0VfJg==
X-Google-Smtp-Source: AH8x227wokUPhofCRyxZsOFK5/SgUGD0K5Y2Quk4zhB0TZ70/+3DtS255/t0wVtIosgITkPXKWza+NOFYxL7IpNW4B8=
X-Received: by 10.200.15.250 with SMTP id f55mr17118760qtk.171.1519062294847; 
 Mon, 19 Feb 2018 09:44:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.112.24 with HTTP; Mon, 19 Feb 2018 09:44:54 -0800 (PST)
In-Reply-To: <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru>
References: <CABfKv0mYX2ouQ1k6M2Bd90yp=eQXP6HcHL7+dE2AZQ9afQ+c2g@mail.gmail.com>
 <5A8A97EC.4040103@grosbein.net>
 <CABfKv0ntGt6TCP7v9xa=MSSZqHwYbZtYtVd6s0gZ-Mbdu2qk5A@mail.gmail.com>
 <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru>
From: Misak Khachatryan <kmisak@gmail.com>
Date: Mon, 19 Feb 2018 21:44:54 +0400
Message-ID: <CABfKv0kvTLJjv7F6y7DTXxE-oXspOHTJti+j0Ftqv5xVpqQQRQ@mail.gmail.com>
Subject: Re: Racoon and setkey problems
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2018 17:44:56 -0000

Hi Andrey,

yes, all output is from same machine. I'll recheck all configs again,
or, if it's OK, I can post them here. The most confusing thing is that
everything worked as a charm several years. And nothing changed in
configurations until logs stars to fill up with these messages and i
tried to play with some settings to troubleshoot.

Best regards,
Misak Khachatryan


On Mon, Feb 19, 2018 at 2:56 PM, Andrey V. Elsukov <bu7cher@yandex.ru> wrote:
> On 19.02.2018 12:28, Misak Khachatryan wrote:
>> Hi,
>>
>> # vmstat -m | egrep "sec|sah|pol"
>>  inpcbpolicy   122     4K       -  4955796  32
>>     secasvar 48558 12140K       -  1572045  256
>>       sahead     3     1K       -       15  256
>>  ipsecpolicy   256    64K       -  9911740  256
>> ipsecrequest    12     2K       -       48  128
>>   ipsec-misc 389632 12176K       - 12575976  16,32,64
>>    ipsec-saq     3     1K       -       15  128
>>    ipsec-reg     3     1K       -       12  32
>>        histogram by message type:
>>                getspi: 1533688
>>                update: 1533640
>>                add: 25
>>                delete: 1
>>                acquire: 1569975
>>                register: 16
>>                expire: 2968244
>>                flush: 10
>>                dump: 111982
>>                x_promisc: 48
>>                x_spdadd: 48
>>                x_spddump: 60
>>                x_spdflush: 7
>
> This looks very strange. Are these from the same machine?
> You said the system has only 3 tunnels. From this output I can say, that
> you have too many SAs. Huge numbers for getspi, update, and acquire
> messages means that you have security policy that produces many SAs.
> Probably something wrong with your configs.
>
> --
> WBR, Andrey V. Elsukov
>