Date: Tue, 27 Aug 2002 04:22:29 +0000 (GMT) From: "Nielsen" <nielsen@memberwebs.com> To: "Ju Ichi" <freebsd-security@ichi.net>, "Sam Leffler (at Usenix)" <sam@usenix.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: IPSec SPD limit? Message-ID: <20020827042229.55E0A43B384@mail.npubs.com> References: <200208231624.14487.freebsd-security@ichi.net> <006101c24aff$cce8cd00$52557f42@errno.com> <200208261259.15721.freebsd-security@ichi.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, no the retrieval was what eventually caused us to consider a totally different alternative. We use a second machine now to do the actual ESP/tunnelling. This also made it possible to selectively edit the entries. Loading tens of thousands of entries via setkey each time took too long. Our main router now has tens of thousands of IPFW forward rules which selectively forward traffic through this second ipsec machine. The ipsec machine only needs only the SAD tables and a couple of IPSEC entries to encrypt all traffic going through it. Of course if you need a seperate encryption tunnel/transport for each IP/subnet then this won't work properly. Nate > We are able to get the policy loaded by using "setkey -c" with sleep > statements as Nate suggested, but still are getting "recv: Resource > temporarily unavailable" when doing a setkey -DP. Anymore ideas on other > values to up? > > Also, Nate, do you know of a way to dump the poicy with setkey so it all > shows? In other words, using setkey -c we can slow down the rate of putting > entries in, but there doesn't seem to be a way to slow down the rate at which > the policy is dumped. > > Thanks, > Ju To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020827042229.55E0A43B384>