* Wolfgang Walter (wolfgang.walter@xxxxxxxxxxxxxxxxxxxx) wrote:
> We had the same problem. Seems to be a limitation of the pfkey-implementation
> of linux.
>
> racoon and setkey both use the pfkey-interface.
>
> We switched to iproute2 and openswan which both use the netfilter-interface.
> Therefor they can handle thousands of SAD and SPD rules.
Well, that's quite interesting. I didn't realize there were multiple
interfaces to the IPSEC in Linux. Additionally, the problem isn't that
I've got too many policies which end up requiring too many SADs- the
problem is that SADs are being created above and beyond what's actually
necessary for my policies, which is a problem. I'm not entirely sure
why that's happening either. At one point a SAD was being added every
second when there was *already* an apparently current SAD for the
required policy. Not good, looks like a bug to me, and I would have
thought it was a kernel bug but I could be wrong there.
I'm certainly curious about the alternative interface to IPSEC in
Linux, and especially your claim that it's a 'netfilter' interface.
I'll certainly look into that... What kernel are you using? What
version of iproute2 and Openswan? Do you have to patch the kernel?
Stephen
signature.asc
Description: Digital signature
|