Hi, Only to reply to myself here, but it appears that pfSense 2.2.4 is back to the problem I had on pfSense 1.2 in 2008.
A cursory investigation on a test node it appears that it fails to load all SPD entries. Both the output of ipsec status as well as setkey -DP lack large amounts. It appears to stop around 150-200 entries. I've attempted to adjust the values in /etc/inc/vpn.inc but I don't think those relate to the lack of space for setkey to succeed. Has the kernel patch from FreeBSD 8.3 been ported to FreeBSD 10 for the increase in buffer size? Kind regards, Seth Seth Mos schreef op 6-8-2015 om 14:57: > Hi, > > We attempted a upgrade from 2.1.5 to 2.2.4 today and it backfired > entirely requiring a reinstall of both nodes to get back to a working > situation. We did make config backups beforehand, but rolling back is a > bit painful in this regard. > > We have about 300 IPsec tunnels with Draytek Vigor (2820/2850) routers. > Of the 300 tunnels, just 2 managed to come online immediately, and never > more then about 10 in half an hour. This was taking way too long and > meanwhile the phone was getting hammered. > > What appeared to be happening is that these routers are "too" > aggressive, triggering the DoS protection in charon. Some tunnels were > establishing but triggering DPD and falling off again. > > We disabled DPD entirely, but alas, this was not enough to get anywhere > fast. > > After searching some more I see that strongswan.conf had options for the > SA table size, as well as a option for disabling the Dos protection. > Unfortunately, none of these are listed in the UI. > > The dos_protection is enabled per default, something which racoon never > had. It does however need adjusting, or disabling above n tunnels. And > the cookie settings need adjusting for the larger amount of tunnels too. > Does the ikesa_table_size = 32 and ikesa_table_segments = 4 need > ajusting too? > > The init_limit_half_open = 1000 needs to be twice the number of tunnels > for succesful negotiation. So this default should be good for 500 > tunnels. Although if there are multiple attempts I could see people > running out. > > Another thing I hit on the way was the initial phase1 negotiation timing > out. For Linux the default is 165 seconds, but I have no idea what the > defaults for FreeBSD are. > > Apart from the issues with IPsec I didn't appear to have any other > issues relating to firewall rules or CARP, so it was a succes in that > respect. Still a shame that we missed 2600 calls just this morning > because the network broke. > > Kind regards, > > Seth Mos > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
