Hey Seth, On Fri, Aug 7, 2015 at 6:57 AM, Seth Mos <[email protected]> wrote: > Hi, > > Only to reply to myself here, but it appears that pfSense 2.2.4 is back > to the problem I had on pfSense 1.2 in 2008. > > A cursory investigation on a test node it appears that it fails to load > all SPD entries. Both the output of ipsec status as well as setkey -DP > lack large amounts. It appears to stop around 150-200 entries. > > I've attempted to adjust the values in /etc/inc/vpn.inc but I don't > think those relate to the lack of space for setkey to succeed. > > Has the kernel patch from FreeBSD 8.3 been ported to FreeBSD 10 for the > increase in buffer size? >
Yeah, that patch has been brought forward, though I'm unaware of anyone running quite as many tunnels as you have. Started looking into the remainder of what you noted yesterday, just haven't had time to get through it yet. Definitely some things there we need to make configurable, and some that we should probably dynamically scale automatically based on the config (with the option to override). I'll bring up a test setup with a large number of connections to verify as soon as time permits. Hopefully this weekend. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
