[Openswan dev] Small optimisation for lots of interfaces
David McCullough
davidm at snapgear.com
Thu Nov 24 20:10:40 CET 2005
Jivin Michael Richardson lays it down ...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >>>>> "David" == David McCullough <davidm at snapgear.com> writes:
> David> counts using OpenSwan. I have run over 1000 simple tunnels
> David> between two hosts using freeswan (ie., single SA for all
> David> tunnels), but pluto seems to get unstable with much over 200
> David> truly independant tunnels. Has any one else has this
> David> experience ?
>
> Define "unstable".
Using simple tunnels (ie., same two hosts, same secret, lots of networks)
I have seen the following pluto silently exit sometime between 1000 and
2000 tunnels. I cannot remember f I saw it crash or not in this
scenario. Each tunnel was exercised as it came up to enure data would
pass through ok.
Unfortunately the other developer who was testing a true star topology
is out today so I could not confirm the details. But IIRC, somewhere
around 300 truly different tunnels (different hosts/secrets/certs) pluto
would either crash or exit (not sure which).
Some of the problems we have seen are were related to dead peer code.
Once you get a significant tunnel count you need to backoff the DPD
timers quite a bit or pluto starts pulling tunnels down.
> Have you tried LEAK_DETECTIVE?
No, haven't heard of it :-) If it checks for memory leaks then I don't
think this is the problem, it is not running out of memory at least.
Cheers,
Davidm
--
David McCullough, davidm at cyberguard.com.au, Custom Embedded Solutions + Security
Ph:+61 734352815 Fx:+61 738913630 http://www.uCdot.org http://www.cyberguard.com
More information about the Dev
mailing list