netdev
[Top] [All Lists]

[IPSEC] Too many SADs!

To: netdev@xxxxxxxxxxx
Subject: [IPSEC] Too many SADs!
From: Stephen Frost <sfrost@xxxxxxxxxxx>
Date: Mon, 21 Mar 2005 09:52:23 -0500
Mail-followup-to: netdev@xxxxxxxxxxx
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i
Greetings,

  This seems to be the right place for Linux 2.6 ipsec issues:

  Linux 2.6.10 + Virtual Server 1.9.4 + Patrick's IPSEC Netfilter patches
  i386 & amd64 (same source for both)
  Debian Racoon & ipsec-tools 0.5-4
  Setting policies using setkey (not using racoon-tool)
  Using both transport and tunnels

  Problem:

  ===# setkey -D | grep '^[0-9]' | wc -l
  recv: Resource temporarily unavailable
  443
  ===# setkey -D | grep mature | wc -l     
  recv: Resource temporarily unavailable
  443
  ===# setkey -D | grep tunnel | wc -l     
  recv: Resource temporarily unavailable
  18
  ===# setkey -D | grep transport | wc -l
  recv: Resource temporarily unavailable
  425
  ===# ps auwx | grep racoon
  root     17722  3.8  2.0 178268 168252 ?       Ss   Mar20  28:39 
/usr/sbin/racoon
  ===# setkey -D -P | grep '^[0-9]' | wc -l
  34
  ===# setkey -D -P | grep transport | wc -l
  20
  ===# setkey -D -P | grep tunnel | wc -l   
  14

  I've seen the number of tunnel SADs go up a bunch too on another
  machine.  I see that there's been some changes in 2.6.11.3 (or so?)
  wrt IPSEC and __xfrm_state_find_acq_byseq(), would that likely fix
  this problem?  I don't tend to use /unique:x but rather /require; in
  my policies, would changing that fix this?  I had originally been
  using a /24 for my transport policy and thought changing that to be a
  bunch of /32 policies for the specific machines I'm talking to would
  help- it didn't.

  Occationally (generally when I first get ipsec going between a couple
  machines) I see pmtu problems which kill that ssh, but after that it
  works.  Not a big deal but I see alot of MTU discussion and patches,
  is that expected to be in 2.6.12?

        Thanks for any help,

                Stephen


<Prev in Thread] Current Thread [Next in Thread>