[Openswan Users] openwan conflicts with large routing tables?
Paul Wouters
paul at xelerance.com
Sun Nov 9 22:27:29 EST 2008
On Mon, 10 Nov 2008, Roger Schreiter wrote:
> I tried to run openswan on a bgp server.
> ipsec is version 2.6.18 with KLIPS.
>
> This machine has no default route, but approx 250,000
> single routes.
> /etc/init.d/ipsec start
> does not start openswan unless I put a line like
> interfaces="ipsec0=eth0"
> in ipsec.conf.
That's right (because you have no default route)
> If I use the interface eth0, which has that large routing
> table, openswan starts, but the link does not start.
Can you tell us more of what is happening? What do the logs
show?
> Imho, openswan tries to copy the routing table from eth0
> to ipsec0, and than cannot deal with such a large routing
> table, or at least too slow, yealding in timeouts when
> starting the connection.
AFAIK, that does not happen.
Do you see messages like:
[ 8648.409997] __ratelimit: 168 messages suppressed
[ 8648.410009] Neighbour table overflow.
You can try adding this to sysctl.conf
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096
And run sysctl -p once, and then try and start openswan?
If that still fails, please run with plutodebug=all and show those logs.
(or try to capture the output of 'ipsec barf')
Paul
More information about the Users
mailing list