[Openswan dev] Small optimisation for lots of interfaces

Andy fs at globalnetit.com
Fri Nov 25 02:06:17 CET 2005


On Thu, 2005-11-24 at 23:24 +0100, Ken Bantoft wrote:

> 
> Just finishing bringing up 5080 tunnels (/32 to /32's).  Certainly took 
> awhile, but they connected up okay.  They were between 2 hosts, so shared 
> the same ISAKMP SA.  Also didn't test traffic, as I didn't have a spare 
> box to throw in my basement, and nor could I get one in place today at the 
> colo (1 peer in Toronto on DSL, one in Amsterdam @ xs4all).
> 

I had a test setup not long ago where I set up 4096 tunnels between 2
hosts, using unique ISAKMP SAs for each. It involves using lots of
addresses assigned to a dummy interface on each host.

IIRC, I sent some notes to MCR about how I did that. I'll dig out the
email if anyone's interested.

That test would only work reliably if I set nhelpers=0 (in config
setup), AND used an iptables limit match to control the rate of new IKE
requests. This was using 2.4.0, IIRC, I haven't (yet) repeated this
testing against later releases. I do intend to do so Real Soon Now...






More information about the Dev mailing list