From owner-freebsd-security Mon Aug 26 21:21: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89C8D37B400 for ; Mon, 26 Aug 2002 21:21:04 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id E890F43E6E for ; Mon, 26 Aug 2002 21:21:03 -0700 (PDT) (envelope-from nielsen@memberwebs.com) From: "Nielsen" To: "Ju Ichi" , "Sam Leffler (at Usenix)" , References: <200208231624.14487.freebsd-security@ichi.net> <006101c24aff$cce8cd00$52557f42@errno.com> <200208261259.15721.freebsd-security@ichi.net> Subject: Re: IPSec SPD limit? MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020827042229.55E0A43B384@mail.npubs.com> Date: Tue, 27 Aug 2002 04:22:29 +0000 (GMT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, no the retrieval was what eventually caused us to consider a totally different alternative. We use a second machine now to do the actual ESP/tunnelling. This also made it possible to selectively edit the entries. Loading tens of thousands of entries via setkey each time took too long. Our main router now has tens of thousands of IPFW forward rules which selectively forward traffic through this second ipsec machine. The ipsec machine only needs only the SAD tables and a couple of IPSEC entries to encrypt all traffic going through it. Of course if you need a seperate encryption tunnel/transport for each IP/subnet then this won't work properly. Nate > We are able to get the policy loaded by using "setkey -c" with sleep > statements as Nate suggested, but still are getting "recv: Resource > temporarily unavailable" when doing a setkey -DP. Anymore ideas on other > values to up? > > Also, Nate, do you know of a way to dump the poicy with setkey so it all > shows? In other words, using setkey -c we can slow down the rate of putting > entries in, but there doesn't seem to be a way to slow down the rate at which > the policy is dumped. > > Thanks, > Ju To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message