After setting up libreswan you might find that the tunnel disconnects when there is a lot of sessions. On the libreswan machine, if you try and ping a host on the other side of the tunnel you get the following:
connect: No buffer space available
This is caused by the xfm_gc_thresh setting being too low. This controls the size of the IPSEC routing table and when the limit is reached the table is cleaned up which removes information related to active connections. You can verify the value by doing the following:
cat /proc/sys/net/ipv4/xfrm4_gc_thresh
1024
If you get a low value like 1024 you will have the problem. Increase the value:
sysctl -w net.ipv4.xfrm4_gc_thresh=32768
sysctl -p
Add the setting in /etc/sysctl.conf to make it permanent
net.ipv4.xfrm4_gc_thresh = 32768
Saturday, October 17, 2015
Subscribe to:
Posts (Atom)