From owner-freebsd-net@freebsd.org Mon Feb 19 10:58:00 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1DEE7F1A0AF for ; Mon, 19 Feb 2018 10:58:00 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward101o.mail.yandex.net (forward101o.mail.yandex.net [37.140.190.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7811E6E21C for ; Mon, 19 Feb 2018 10:57:58 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback13g.mail.yandex.net (mxback13g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:92]) by forward101o.mail.yandex.net (Yandex) with ESMTP id 6DCDA1341190; Mon, 19 Feb 2018 13:57:51 +0300 (MSK) Received: from smtp2j.mail.yandex.net (smtp2j.mail.yandex.net [2a02:6b8:0:801::ac]) by mxback13g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id GhIzjoL4G4-vpWaXIUH; Mon, 19 Feb 2018 13:57:51 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1519037871; bh=z9CACTGAEJQTy2GRd4Ib2UmrQlzlI6utO/ZK9CmWZRE=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=uJxQo4lYJtF7vSo51u5RJ55t4fUmOrB5dgxCVoWMAQMs2RzC3dfZzxZDaXPMjh3V2 TuRE+U8JQ9+lUI5s4B2JuLTk3Dj4rkPczmGOoVJETmJL6hM9WyI9uRz+hhl/2K5IEc TnlOotnbQFD4whRIO5pl/zPpDYghw5DMw+3i3H/s= Received: by smtp2j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id ALy50XjZwl-voO46lat; Mon, 19 Feb 2018 13:57:50 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1519037870; bh=z9CACTGAEJQTy2GRd4Ib2UmrQlzlI6utO/ZK9CmWZRE=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=Oiy3dO3XWiD/s7i8Kf4ArG0/nQmj+nXPe5qlHFzT61p8N8pj+T98Rxszp0HtFexxa qgm/19F7h/sF8qBoJ0WJ1pLisguBXtvJyV2klUokSDqCeWp6ovShLz+i9YdfOlclpi dfRhj7B45fWO0gToxLWU1PqLGMSKOckeXofa/z1Y= Authentication-Results: smtp2j.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: Racoon and setkey problems To: Misak Khachatryan , Eugene Grosbein Cc: freebsd-net@freebsd.org References: <5A8A97EC.4040103@grosbein.net> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru> Date: Mon, 19 Feb 2018 13:56:57 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="m1uYAfCKuGKWf9aRkp5pHSRuKnryESzfq" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Feb 2018 10:58:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --m1uYAfCKuGKWf9aRkp5pHSRuKnryESzfq Content-Type: multipart/mixed; boundary="scJGonz5nZqXsb5c0sWhoKMs7QoHKcHNy"; protected-headers="v1" From: "Andrey V. Elsukov" To: Misak Khachatryan , Eugene Grosbein Cc: freebsd-net@freebsd.org Message-ID: <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru> Subject: Re: Racoon and setkey problems References: <5A8A97EC.4040103@grosbein.net> In-Reply-To: --scJGonz5nZqXsb5c0sWhoKMs7QoHKcHNy Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.02.2018 12:28, Misak Khachatryan wrote: > Hi, >=20 > # vmstat -m | egrep "sec|sah|pol" > inpcbpolicy 122 4K - 4955796 32 > secasvar 48558 12140K - 1572045 256 > sahead 3 1K - 15 256 > ipsecpolicy 256 64K - 9911740 256 > ipsecrequest 12 2K - 48 128 > ipsec-misc 389632 12176K - 12575976 16,32,64 > ipsec-saq 3 1K - 15 128 > ipsec-reg 3 1K - 12 32 > histogram by message type: > getspi: 1533688 > update: 1533640 > add: 25 > delete: 1 > acquire: 1569975 > register: 16 > expire: 2968244 > flush: 10 > dump: 111982 > x_promisc: 48 > x_spdadd: 48 > x_spddump: 60 > x_spdflush: 7 This looks very strange. Are these from the same machine? You said the system has only 3 tunnels. From this output I can say, that you have too many SAs. Huge numbers for getspi, update, and acquire messages means that you have security policy that produces many SAs. Probably something wrong with your configs. --=20 WBR, Andrey V. Elsukov --scJGonz5nZqXsb5c0sWhoKMs7QoHKcHNy-- --m1uYAfCKuGKWf9aRkp5pHSRuKnryESzfq Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlqKrXkACgkQAcXqBBDI oXq/agf7BSZSodVzVh7IqJ+zS+y5eo82CUyKGbmO379aHTiUFWhZwnvBkeZ4uG8M WQ23nDotdb89L+rdDEJ0Sbk4XxL3wQe/NrXtq5BWl8Y9V6bdcYzY6+EFBfF0EEVU v9wdaaqamQFuFjhFanaLE78FxHoB2DPOmWi0aHl9HXRnVGB0/ceyu9TXRMdKUK63 SFxnYEmhvJtQ8DDLc2DABxPkhJvddiFFc8ch+/NPjhNC7juuCnCiWdsoouWdnS6d W+U80mOEasc5CqSkectnU5Xf9tDB14obof//TtxRIAUHccViJGJuZ6p1n4O3GTJj qaH1C/HZk2E9m8dDDtfS6Nd9RU5siQ== =EEUW -----END PGP SIGNATURE----- --m1uYAfCKuGKWf9aRkp5pHSRuKnryESzfq--