Mailing List Archive: vpnc 0.5.3 high cpu usage in linux centos 6 64 bit

1) I received about 2 Mbyte/s data over vpnc 0.5.4 in Linux Centos 6 64 bit, vpnc cpu load from both top and htop was about 50% of 1.8 MHz cpu, is this normal or is there any way to reduce cpu usage, I tried to profile with callgrind and it seems to spend most time in libgcrypt, could it be I am using an old libgcrypt or any steps to take to reduce cpu usage/load or is it expected behaviour. The connection is reliable, but cpu usage overloads the system to some extent, could it be possible to disable encryption.

2) how could I determine cpu usage of Cisco vpn client, which is launched by a user space vpnclient, it uses a cisco_ipsec.ko kernel module, but this module's cpu usage does not show up from top or htop, how could I find out the Cisco vpn client cpu usage to emerge the kernel module cpu share under the same conditions as above vpnc because it appears not to use any cpu, which is not likely.

Thank you for any informations, kindly.

my configuration :

[root@centos6 vpnc-0.5.3]# uname -a
Linux centos6 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27 19:49:27 BST 2011 x86_64 x86_64 x86_64 GNU/Linux

[root@centos6 vpnc-0.5.3]# ./vpnc --debug 2

vpnc version 0.5.3

S1 init_sockaddr
[2011-09-12 21:42:06]

S2 make_socket
[2011-09-12 21:42:06]

S3 setup_tunnel
[2011-09-12 21:42:06]
using interface tun0

S4 do_phase1_am
[2011-09-12 21:42:06]

S4.1 create_nonce
[2011-09-12 21:42:06]

S4.2 dh setup
[2011-09-12 21:42:06]

S4.3 AM packet_1
[2011-09-12 21:42:06]

S4.4 AM_packet2
[2011-09-12 21:42:06]
(Cisco Unity)
(Xauth)
(DPD)
(Nat-T 02N)
(unknown)
(unknown)
got ike lifetime attributes: 2147483 seconds
IKE SA selected psk+xauth-aes128-md5
peer is DPD capable (RFC3706)
peer is NAT-T capable (draft-02)\n
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads

S4.5 AM_packet3
[2011-09-12 21:42:06]
NAT status: this end behind NAT? YES -- remote end behind NAT? no
NAT-T mode, adding non-esp marker

S4.6 cleanup
[2011-09-12 21:42:06]

S5 do_phase2_xauth
[2011-09-12 21:42:06]

S5.1 xauth_start
[2011-09-12 21:42:06]

S5.2 notice_check
[2011-09-12 21:42:06]

S5.3 type-is-xauth check
[2011-09-12 21:42:06]

S5.4 xauth type check
[2011-09-12 21:42:06]

S5.5 do xauth authentication
[2011-09-12 21:42:06]
NAT-T mode, adding non-esp marker

S5.2 notice_check
[2011-09-12 21:42:06]

S5.3 type-is-xauth check
[2011-09-12 21:42:06]

S5.6 process xauth response
[2011-09-12 21:42:06]
NAT-T mode, adding non-esp marker

S5.7 xauth done
[2011-09-12 21:42:06]

S6 do_phase2_config
[2011-09-12 21:42:06]

S6.1 phase2_config send modecfg
[2011-09-12 21:42:06]
NAT-T mode, adding non-esp marker

S6.2 phase2_config receive modecfg
[2011-09-12 21:42:06]
got save password setting: 0
got 8 acls for split include
acl 0: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 1: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 2: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 3: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 4: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 5: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 6: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 7: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
got pfs setting: 0
Remote Application Version: Cisco Systems, Inc PIX-515E Version 7.0(6) built by builders on Tue 22-Aug-06 13:22
got address 10.10.10.21

S7 setup_link (phase 2 + main_loop)
[2011-09-12 21:42:06]

S7.0 run interface setup script
[2011-09-12 21:42:06]

S7.1 QM_packet1
[2011-09-12 21:42:07]

S7.2 QM_packet2 send_receive
[2011-09-12 21:42:07]
NAT-T mode, adding non-esp marker

S7.3 QM_packet2 validate type
[2011-09-12 21:42:07]

S7.4 process and skip lifetime notice
[2011-09-12 21:42:07]
got ike lifetime attributes: 7200 seconds

S7.2 QM_packet2 send_receive
[2011-09-12 21:42:07]
NAT-T mode, adding non-esp marker

S7.3 QM_packet2 validate type
[2011-09-12 21:42:07]

S7.5 QM_packet2 check reject offer
[2011-09-12 21:42:07]

S7.6 QM_packet2 check and process proposal
[2011-09-12 21:42:07]
got ipsec lifetime attributes: 2147483 seconds
IPSEC SA selected aes128-md5
got ipsec lifetime attributes: 28800 seconds
NAT-T mode, adding non-esp marker

S7.7 QM_packet3 sent
[2011-09-12 21:42:07]

S7.8 setup ipsec tunnel
[2011-09-12 21:42:07]

S7.9 main loop (receive and transmit ipsec packets)
[2011-09-12 21:42:07]
remote -> local spi: 0x5191a475
local -> remote spi: 0x1acc57e9
VPNC started in background (pid: 7964)...

[root@centos6 vpnc-0.5.3]# ldd ./vpnc
linux-vdso.so.1 => (0x00007fffe0dff000)
libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x0000003728600000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003185000000)
libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x000000372b600000)
libc.so.6 => /lib64/libc.so.6 (0x0000003184c00000)
/lib64/ld-linux-x86-64.so.2 (0x0000003184800000)

Hello Guglielmo,
I have put again the list in copy, someone could be interested.

I was wrong suggesting S4.3. The right place is S7.2
In S7.2 vpnc sends to the server a list of possible proposals for the
encryption.
Then in S7.3 the server replies with the one it choose.
Some comments inside the dump below.

Within the list sent by vpnc there is also the proposal for "no
encryption", but your server choose aes128 (together with hash md5).
If you remove all the encryption algorithm form the list sent by vpnc,
the server will be forced either to accept "no encryption" or to
refuse the connection (if configured in this way).
In fact, the server could be configured to avoid "no encryption",
considering unacceptable such proposal. It will refuses to deal with
you and sends back a request to close the connection.
You have to try to know what is the server configuration.

There is no command line flag to force this situation.
You should hack the code.
I think is enough to change following line in vpnc.c, function
make_our_sa_ipsec()
- for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
+ crypt = 0; {
It will shrink the loop to supp_crypt[0] only

Good luck!
Antonio

On Wed, Sep 14, 2011 at 3:07 PM, <g.fanini@gmail.com> wrote:
> Hello Antonio,
>
> I enclose the output of vpnc --debug 3, there is nothing after S4.3 AM
> packet_1, does it imply anything regarding possibility of disabling
> encryption/decryption, thank you for any information, kindly.
>
> Regards.
>
> Guglielmo Fanini
>
>
>
> [root@centos6 LOG]# vpnc --debug 3
>
> vpnc version 0.5.3
> hex_test: 00010203
<snip>
> S7 setup_link (phase 2 + main_loop)
> [2011-09-14 09:03:38]
>
> S7.0 run interface setup script
> [2011-09-14 09:03:38]
> RTNETLINK answers: File exists
>
> S7.1 QM_packet1
> [2011-09-14 09:03:41]
>
> S7.2 QM_packet2 send_receive
> [2011-09-14 09:03:41]
> size = 588, blksz = 16, padding = 4
>
> sending: ========================>
> BEGIN_PARSE
> Recieved Packet Len: 620
> i_cookie: 8769b363 eacbeded
> r_cookie: ddc64548 67caabe2
> payload: 08 (ISAKMP_PAYLOAD_HASH)
> isakmp_version: 10
> exchange_type: 20 (ISAKMP_EXCHANGE_IKE_QUICK)
> flags: 01
> message_id: 0442f1b6
> len: 0000026c
>
> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> next_type: 01 (ISAKMP_PAYLOAD_SA)
> length: 0014
> ke.data: b0d3f0bd df70c738 b40efe72 dfa65585
> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
> next_type: 0a (ISAKMP_PAYLOAD_NONCE)
> length: 0204
> sa.doi: 00000001 (ISAKMP_DOI_IPSEC)
> sa.situation: 00000001 (ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
>
> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> next_type: 02 (ISAKMP_PAYLOAD_P)
> length: 002c
> p.number: 00
> p.prot_id: 03 (ISAKMP_IPSEC_PROTO_IPSEC_ESP)
> p.spi_size: 04
> length: 01
> p.spi: 747f4f6f
>

The following is the first proposal, for encryption AES256, hash SHA

> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 0020
> t.number: 00
> t.id: 0c (ISAKMP_IPSEC_ESP_AES)
> t.attributes.type: 0006 (ISAKMP_IPSEC_ATTRIB_KEY_LENGTH)
> t.attributes.u.attr_16: 0100
> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> t.attributes.u.attr_16: f003 (IPSEC_ENCAP_UDP_TUNNEL_OLD)
> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> t.attributes.u.lots.length: 0004
> t.attributes.u.lots.data: 0020c49b
> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>

<snip>
This is the last proposal for "no encryption", hash md5

> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 001c
> t.number: 00
> t.id: 0b (ISAKMP_IPSEC_ESP_NULL)
> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> t.attributes.u.attr_16: f003 (IPSEC_ENCAP_UDP_TUNNEL_OLD)
> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> t.attributes.u.lots.length: 0004
> t.attributes.u.lots.data: 0020c49b
> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>

<snip>

>
> receiving: <========================
> [2011-09-14 09:03:41]
>
> S7.3 QM_packet2 validate type
> [2011-09-14 09:03:41]
> BEGIN_PARSE

<snip>

>
> S7.4 process and skip lifetime notice
> [2011-09-14 09:03:41]
> got ike lifetime attributes: 7200 seconds
>
> S7.2 QM_packet2 send_receive
> [2011-09-14 09:03:41]
> NAT-T mode, adding non-esp marker
>
>
> receiving: <========================
> [2011-09-14 09:03:41]
>
> S7.3 QM_packet2 validate type
> [2011-09-14 09:03:41]
> BEGIN_PARSE
> Recieved Packet Len: 188
> i_cookie: 8769b363 eacbeded
> r_cookie: ddc64548 67caabe2
> payload: 08 (ISAKMP_PAYLOAD_HASH)
> isakmp_version: 10
> exchange_type: 20 (ISAKMP_EXCHANGE_IKE_QUICK)
> flags: 01
> message_id: 0442f1b6
> len: 000000bc
>
> PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
> next_type: 01 (ISAKMP_PAYLOAD_SA)
> length: 0014
> ke.data: 0c0727b8 6287d27a 8598a44f 0e2721ea
> DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)
>
> PARSING PAYLOAD type: 01 (ISAKMP_PAYLOAD_SA)
> next_type: 0a (ISAKMP_PAYLOAD_NONCE)
> length: 0038
> sa.doi: 00000001 (ISAKMP_DOI_IPSEC)
> sa.situation: 00000001 (ISAKMP_IPSEC_SIT_IDENTITY_ONLY)
>
> PARSING PAYLOAD type: 02 (ISAKMP_PAYLOAD_P)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 002c
> p.number: 01
> p.prot_id: 03 (ISAKMP_IPSEC_PROTO_IPSEC_ESP)
> p.spi_size: 04
> length: 01
> p.spi: 40f95f02
>

And this is the proposal accepted by the server, AES128, MD5

> PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
> next_type: 00 (ISAKMP_PAYLOAD_NONE)
> length: 0020
> t.number: 01
> t.id: 0c (ISAKMP_IPSEC_ESP_AES)
> t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
> t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
> t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
> t.attributes.u.lots.length: 0004
> t.attributes.u.lots.data: 0020c49b
> t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
> t.attributes.u.attr_16: f003 (IPSEC_ENCAP_UDP_TUNNEL_OLD)
> t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
> t.attributes.u.attr_16: 0001 (IPSEC_AUTH_HMAC_MD5)
> t.attributes.type: 0006 (ISAKMP_IPSEC_ATTRIB_KEY_LENGTH)
> t.attributes.u.attr_16: 0080
> DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
>
<snip>
>
> S7.5 QM_packet2 check reject offer
> [2011-09-14 09:03:41]
>
> S7.6 QM_packet2 check and process proposal
> [2011-09-14 09:03:41]
> got ipsec lifetime attributes: 2147483 seconds

Finally vpnc prints the selected proposal

> IPSEC SA selected aes128-md5
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/