Date: Fri, 23 Aug 2002 10:39:26 -0400 From: Ju Ichi <freebsd-net@ichi.net> To: freebsd-net@FreeBSD.ORG Subject: IPSec SPD limit? Message-ID: <200208231039.26675.freebsd-net@ichi.net>
next in thread | raw e-mail | index | archive | help
We are trying to setup a large IPSec SPD (in excess of 1000 SAs) on the
following hardware/software config:
Compaq DL360 with dual 1.4GHz processsors
2GB RAM
4GB swap space
4.6.1-RELEASE-p11
racoon-20020507a
We get a "send: No buffer space available" when trying to read in the
/etc/ipsec.conf file if it has more than about 1000 entries. Also, if we do
a setkey -DP after trying to read in /etc/ipsec.conf we get
"recv: Resource temporarily unavailable" after it lists some of the SAs.
Several kernel tweaks have been tried. For example, we have tried setting
MAXUSERS from 0 to 1024 on bit boundaries (0, 128, 256, 512, and 1024).
FWIW, setting it to 1024 seems to be evil. ;-) We have also tried various
settings in the kernel config file on NMBCLUSTERS, NMBUFS, NBUF, MAXDSIZ,
MAXSSIZ, DFLDSIZ, and MAXFILES. In addition, we have tweaked
kern.ipc.somaxconn, net.inet.tcp.sendspace, net.inet.tcp.recvspace,
net.inet.udp.recvspace, and net.inet.udp.maxdgram after reading some
performance tuning web pages. I can provide additional details as needed,
but didn't want to make this initial request too long.
Does anyone know of any limits on the number of entries the SPD can hold and
if so how to make the limits higher?
Thanks in advance,
Ju
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208231039.26675.freebsd-net>