[Openswan Users] Connection not coming up automatically
Andy
fs at globalnetit.com
Tue Jun 27 15:55:51 CEST 2006
On Tue, 2006-06-27 at 09:07 +0200, Marco Berizzi wrote:
> Andy wrote:
>
> >Did you try with nhelpers=0 in your ipsec.conf?
>
> Is this safe to set nhelpers=0 on all osw boxes?
IMO, yes.
I run all mine that way.
I'm really not sure how the separate helper process is useful. It
offloads the crypto processing for IKE negotiations, but unless you have
a huge number of connections and a real short rekey interval the IKE
stuff isn't really a significant load. Most crypto work goes on in the
kernel.
And if you do have a huge number of connections (I do) then nhelpers>0
makes pluto unstable. See http://bugs.xelerance.com/view.php?id=305 for
example. That's supposedly fixed, but I'm not so sure - I had similar
problems with later code, I reported those to the developers but didn't
hear any resolution.
With nhelpers=0, I have uptime >6 months on several servers, running
many hundred connections.
>
> >On Mon, 2006-06-26 at 11:07 +0200, Marco Berizzi wrote:
> > > Hello everybody.
> > > I'm experimenting a problem with an openswan box with 11
> > > tunnel configured with auto=start
> > > I'm getting this error "can not start crypto helper:
> > > failed to find any available worker" and the tunnel is
> > > not started automatically till the other peer initiate
> > > quick mode. I have seen a bug report (198) but it is
> > > marked as fixed. The linux box is running vanilla 2.4.30
> > > + KLIPS 2.3.1 + userland 2.4.5
> > >
> > > Hints?
>
>
--
Andy <fs at globalnetit.com>
More information about the Users
mailing list