[Openswan dev] Small optimisation for lots of interfaces
David McCullough
davidm at snapgear.com
Fri Nov 25 09:45:39 CET 2005
Jivin Ken Bantoft lays it down ...
>
> On Thu, 24 Nov 2005, David McCullough wrote:
>
> >Jivin Michael Richardson lays it down ...
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>Hash: SHA1
> >>
> >>>>>>>"David" == David McCullough <davidm at snapgear.com> writes:
> >> David> counts using OpenSwan. I have run over 1000 simple tunnels
> >> David> between two hosts using freeswan (ie., single SA for all
> >> David> tunnels), but pluto seems to get unstable with much over 200
> >> David> truly independant tunnels. Has any one else has this
> >> David> experience ?
> >>
> >> Define "unstable".
> >
> >Using simple tunnels (ie., same two hosts, same secret, lots of networks)
> >I have seen the following pluto silently exit sometime between 1000 and
> >2000 tunnels. I cannot remember f I saw it crash or not in this
> >scenario. Each tunnel was exercised as it came up to enure data would
> >pass through ok.
>
> Just finishing bringing up 5080 tunnels (/32 to /32's). Certainly took
> awhile, but they connected up okay. They were between 2 hosts, so shared
> the same ISAKMP SA. Also didn't test traffic, as I didn't have a spare
> box to throw in my basement, and nor could I get one in place today at the
> colo (1 peer in Toronto on DSL, one in Amsterdam @ xs4all).
Thanks for trying that, I will try to get a test run today to count
tunnels using OpenSwan, unfortunately I am out of the office for a
week or so then so it may be a while before I can revisit it.
> >Unfortunately the other developer who was testing a true star topology
> >is out today so I could not confirm the details. But IIRC, somewhere
> >around 300 truly different tunnels (different hosts/secrets/certs) pluto
> >would either crash or exit (not sure which).
>
> I'm going to see if I can do something better next month to generate more
> variants on the connections.
If I get a chance I will see if I can unpackage our test scripts from
the test framework so they can be used standalone to at least generate
the configs at each end,
Cheers,
Davidm
--
David McCullough, davidm at cyberguard.com.au, Custom Embedded Solutions + Security
Ph:+61 734352815 Fx:+61 738913630 http://www.uCdot.org http://www.cyberguard.com
More information about the Dev
mailing list