[Openswan Users] ipsec restart slow with many certs

Andy Gay andy at andynet.net
Fri Jul 21 22:43:05 CEST 2006 

On Fri, 2006-07-21 at 20:48 -0400, ted leslie wrote:
> i just added certs (500 x.509 based connections) to my  open swan
> and it took 4.5 minutes to reset, and read in and do whatever it does with the
> ipsec.conf that contained those 500 entries.
> 
Sounds about right. I have around 1500 on one server, takes about 10
minutes to load them all.

> Thats a fairly long time,
> its only a single cpu 2.0GHZ intel and it was at 95%-100% load  the entire 4.5 minutes,
> i am a bit conserned now, but when i want to add 20,000 certs, i am starting to 
> see that this will be an issue! like a day to resstart openswan!

Hmm. 4.5 min = 270 seconds for 500 = about 2/sec. So for 20,000 it'll
take 10,000 sec = about 2.75 hours...
> 
> any one have any thoughts.

Don't restart... :)
Use more servers. They're not expensive. We adopted a policy that we
limit each server to around 1000 connections at most. That keeps startup
times reasonable and limits the damage if one crashes.

But they're very rarely restarted. I have servers running for over 6
months.

BTW - with 20,000 conns you'll have problems using the 'standard'
startup scripts - at around 8,000 they hit the system limits and fail
with 'command line too long' type errors.

There's a 'starter' program somewhere in the distribution that's
supposed to work faster, that may also deal with more conns. I haven't
tried it yet. It's not yet clear to me where the CPU time is being used
during startup, it may be the awk based scripts taking all the time, but
it's also been suggested it may be down to the availability of entropy
for the random number generator. A hardware RNG may help.

> 
> and to add a new cert, who want to have the ipsec down for 5 minutes while you add one
> and restart if you just even have only 500 x.509 certs in it.

You don't need to restart to add 1 new connection! Just add the conn and
do ipsec auto --add to bring it up.
Keep each conn in a separate file to make that easy to manage. The
standard ipsec.conf has 'include /etc/ipsec.d/*.conf' in it, so just add
a connXX.conf in /etc/ipsec.d for each.

> 
> at least crl is usefull to nuke one without having to reset the server but ....
> 
Or delete the conn file and do ipsec auto --delete

> -tl
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list