Hi, We attempted a upgrade from 2.1.5 to 2.2.4 today and it backfired entirely requiring a reinstall of both nodes to get back to a working situation. We did make config backups beforehand, but rolling back is a bit painful in this regard.
We have about 300 IPsec tunnels with Draytek Vigor (2820/2850) routers. Of the 300 tunnels, just 2 managed to come online immediately, and never more then about 10 in half an hour. This was taking way too long and meanwhile the phone was getting hammered. What appeared to be happening is that these routers are "too" aggressive, triggering the DoS protection in charon. Some tunnels were establishing but triggering DPD and falling off again. We disabled DPD entirely, but alas, this was not enough to get anywhere fast. After searching some more I see that strongswan.conf had options for the SA table size, as well as a option for disabling the Dos protection. Unfortunately, none of these are listed in the UI. The dos_protection is enabled per default, something which racoon never had. It does however need adjusting, or disabling above n tunnels. And the cookie settings need adjusting for the larger amount of tunnels too. Does the ikesa_table_size = 32 and ikesa_table_segments = 4 need ajusting too? The init_limit_half_open = 1000 needs to be twice the number of tunnels for succesful negotiation. So this default should be good for 500 tunnels. Although if there are multiple attempts I could see people running out. Another thing I hit on the way was the initial phase1 negotiation timing out. For Linux the default is 165 seconds, but I have no idea what the defaults for FreeBSD are. Apart from the issues with IPsec I didn't appear to have any other issues relating to firewall rules or CARP, so it was a succes in that respect. Still a shame that we missed 2600 calls just this morning because the network broke. Kind regards, Seth Mos _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
