[Openswan Users] ipsec restart slow with many certs

Sat Jul 22 14:16:42 CEST 2006

On Fri, 2006-07-21 at 22:37 -0400, ted leslie wrote:
> thanks, very good stuff to know!!
> we have a situation where we have a very very part time work force,
> and we might have 10K certs but only 300 simo connections,
> 
> i wonder if the new iron, i.e. quad cores, etc will help,
> i doubt the slowness is anything disk related,

Actually, it can be. Lots of stuff gets syslogged during startup. Make
sure you don't have plutodebug set to anything. Especially not
plutodebug=all, which lots of people who post here seem to do.

It's worth disabling local logging and sending your syslogs to a
dedicated logging server.

> 
> but with the stuff you mentioned it looks like restarting IS very infrequently needed,
> 
> 
> just out of curiostiy, how does a typical cisco/netscreen/checkpoint handle this? (i wonder)
> any better? same? worse. Since they are licensed per user often,
> say a netscreen 200 user license, i am guessing that limits that platform to 200 certs?

I guess. No idea really. Fortunately I don't have to deal with such
stuff :)

> 
> thanks again, you made my day!!

HTH

> 
> -tl
> 
> On Fri, 21 Jul 2006 21:43:05 -0400
> Andy Gay <andy at andynet.net> wrote:
> 
> > On Fri, 2006-07-21 at 20:48 -0400, ted leslie wrote:
> > > i just added certs (500 x.509 based connections) to my  open swan
> > > and it took 4.5 minutes to reset, and read in and do whatever it does with the
> > > ipsec.conf that contained those 500 entries.
> > > 
> > Sounds about right. I have around 1500 on one server, takes about 10
> > minutes to load them all.
> > 
> > > Thats a fairly long time,
> > > its only a single cpu 2.0GHZ intel and it was at 95%-100% load  the entire 4.5 minutes,
> > > i am a bit conserned now, but when i want to add 20,000 certs, i am starting to 
> > > see that this will be an issue! like a day to resstart openswan!
> > 
> > Hmm. 4.5 min = 270 seconds for 500 = about 2/sec. So for 20,000 it'll
> > take 10,000 sec = about 2.75 hours...
> > > 
> > > any one have any thoughts.
> > 
> > Don't restart... :)
> > Use more servers. They're not expensive. We adopted a policy that we
> > limit each server to around 1000 connections at most. That keeps startup
> > times reasonable and limits the damage if one crashes.
> > 
> > But they're very rarely restarted. I have servers running for over 6
> > months.
> > 
> > BTW - with 20,000 conns you'll have problems using the 'standard'
> > startup scripts - at around 8,000 they hit the system limits and fail
> > with 'command line too long' type errors.
> > 
> > There's a 'starter' program somewhere in the distribution that's
> > supposed to work faster, that may also deal with more conns. I haven't
> > tried it yet. It's not yet clear to me where the CPU time is being used
> > during startup, it may be the awk based scripts taking all the time, but
> > it's also been suggested it may be down to the availability of entropy
> > for the random number generator. A hardware RNG may help.
> > 
> > > 
> > > and to add a new cert, who want to have the ipsec down for 5 minutes while you add one
> > > and restart if you just even have only 500 x.509 certs in it.
> > 
> > You don't need to restart to add 1 new connection! Just add the conn and
> > do ipsec auto --add to bring it up.
> > Keep each conn in a separate file to make that easy to manage. The
> > standard ipsec.conf has 'include /etc/ipsec.d/*.conf' in it, so just add
> > a connXX.conf in /etc/ipsec.d for each.
> > 
> > > 
> > > at least crl is usefull to nuke one without having to reset the server but ....
> > > 
> > Or delete the conn file and do ipsec auto --delete
> > 
> > > -tl
> > > 
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Building and Integrating Virtual Private Networks with Openswan: 
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > 
> > 
> 