From owner-freebsd-net Fri Aug 23 7:40:55 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC20037B400 for ; Fri, 23 Aug 2002 07:40:51 -0700 (PDT) Received: from dragon.ichi.net (dragon.ichi.net [209.42.196.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DDB743E6E for ; Fri, 23 Aug 2002 07:40:50 -0700 (PDT) (envelope-from freebsd-net@ichi.net) Received: from coaster (localhost.localdomain [127.0.0.1]) by dragon.ichi.net (8.11.6/8.11.6) with ESMTP id g7NET8512110 for ; Fri, 23 Aug 2002 10:29:08 -0400 Content-Type: text/plain; charset="us-ascii" From: Ju Ichi To: freebsd-net@FreeBSD.ORG Subject: IPSec SPD limit? Date: Fri, 23 Aug 2002 10:39:26 -0400 User-Agent: KMail/1.4.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208231039.26675.freebsd-net@ichi.net> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We are trying to setup a large IPSec SPD (in excess of 1000 SAs) on the following hardware/software config: Compaq DL360 with dual 1.4GHz processsors 2GB RAM 4GB swap space 4.6.1-RELEASE-p11 racoon-20020507a We get a "send: No buffer space available" when trying to read in the /etc/ipsec.conf file if it has more than about 1000 entries. Also, if we do a setkey -DP after trying to read in /etc/ipsec.conf we get "recv: Resource temporarily unavailable" after it lists some of the SAs. Several kernel tweaks have been tried. For example, we have tried setting MAXUSERS from 0 to 1024 on bit boundaries (0, 128, 256, 512, and 1024). FWIW, setting it to 1024 seems to be evil. ;-) We have also tried various settings in the kernel config file on NMBCLUSTERS, NMBUFS, NBUF, MAXDSIZ, MAXSSIZ, DFLDSIZ, and MAXFILES. In addition, we have tweaked kern.ipc.somaxconn, net.inet.tcp.sendspace, net.inet.tcp.recvspace, net.inet.udp.recvspace, and net.inet.udp.maxdgram after reading some performance tuning web pages. I can provide additional details as needed, but didn't want to make this initial request too long. Does anyone know of any limits on the number of entries the SPD can hold and if so how to make the limits higher? Thanks in advance, Ju To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message