I used a tester to test VPN throughput and found that charon’s memory usage was high and was killed by the kernel. Is there any solution to limit memory usage?

[LibreBai]

System (please complete the following information):

• OS: centos7
• Kernel version (if applicable): [3.10]
• strongSwan version(s): [5.8.1]
• Tested/confirmed with the latest version: [no]

Describe the bug
I used a tester to test VPN throughput and found that charon’s memory usage was high and was killed by the kernel. Is there any solution to limit memory usage?

[tobiasbrunner]

Please provide a lot more information.

[LibreBai]

@tobiasbrunner Thank you for your reply.

According to the test feedback from my classmates, the memory of the charon process will occupy more than 6G and then be killed. I am not sure whether this is a memory leak or the memory occupied by normal business. If you can determine that this is abnormal memory usage, I can retest and display all configurations and memory records in detail.

[tobiasbrunner]

If you can determine that this is abnormal memory usage, I can retest and display all configurations and memory records in detail.

Well, how could I determine that without knowing what you actually did? You haven't provided any information at all (config, logs etc.) or details on what that "tester" did. Also, what does "VPN throughput" mean? Because strongSwan is an IKE daemon, it does not usually handle IPsec traffic.

[LibreBai]

I will provide complete information for you to judge later. The current situation is that, as shown in the red box in the picture, this process occupies more than 6G of memory, is directly killed by the kernel kill -9, and will always restart.

[LibreBai]

[LibreBai]

The configuration is shown in the figure below. The two subnets are 2.1.1.0 and 3.1.1.0.

The picture below shows the memory usage, which is growing very fast.It takes about 20 seconds to reach 6G.

The data packets passing through the VPN tunnel are UDP, with 100 source IPs and 100 destination IPs respectively, and there may be up to 10,000 sessions.

At the same time, there are also memory usage and other related prompts in demsg.

If you need more information, please reply directly. There is currently a relevant test environment.

[LibreBai]

[tobiasbrunner]

I can't read the stuff in some of these images. Anyway, as I said before, strongSwan does not generally handle IPsec traffic (or get affected by it). So the question is: are you using kernel-libipsec? If so, don't!

[LibreBai]

I understand what you mean, but if the data packet is sent quickly, the charon process will occupy more than 6G of memory and then be killed by the kernel.

[LibreBai]

This is my configuration with two linux hosts.

This is the network port configuration of the two devices.

This is after the two devices receive UDP data packets, the charon process will occupy 6G of memory in 20 seconds.

This is the error message reported by demsg.

The kernel-libipsec related options were indeed enabled during compilation. I will test again.

[LibreBai]

I didn't use the --enable-kernel-libipsec parameter during compilation, but the charon process was still killed due to memory usage reaching 6GB. I'll try using a new version.

[tobiasbrunner]

That doubt this has anything to do with the version. Did you make sure that everything from the previous installation was removed?

[LibreBai]

I will conduct the first test using CentOS 7 with version 5.7.2, and then proceed with the second test using CentOS Stream with the latest version of StrongSwan. Please await my update.