From: satish a. <sat...@gm...> - 2013-04-30 15:50:34
|
Hi, Is there any limit on total number of IKE SA and IPSEC SA racoon support. Is it configurable by user. If they are in source files they are defined. Thanks, Satish K Amara |
From: Rainer W. <rwe...@mo...> - 2013-04-30 16:00:58
|
satish amara <sat...@gm...> writes: > Is there any limit on total number of IKE SA and IPSEC SA racoon > support. Is it configurable by user. If they are in source files they are > defined. If this was supposed to become an English text, the attempt failed :-). Judgeing from a quick look at isakmp_ph1begin_r, I don't think there's any fixed limit of IKE SAs. But since all 'central' racoon data structures are linked lists, search time in these ought to become rather expensive once more than a few tenthousand SAs exist. In case of NAT-T, there's an obvious limit of 65535 SAs (of each type) per NAT gateway. |
From: vanhu <va...@fr...> - 2013-05-06 15:31:35
|
On Tue, Apr 30, 2013 at 11:50:27AM -0400, satish amara wrote: > Hi, Hi. > Is there any limit on total number of IKE SA and IPSEC SA racoon > support. Is it configurable by user. If they are in source files they are > defined. There is no such hard limit in racoon, but you may reach some other limits... For example, if you use PFKey interface with kernel (*BSD), there is a limit in the socket buffer, which cannot (at least in default kernels) dump more than a few hundred entries. Linux's xfrm interface seems to not have this kind of issue (can someone confirm ?) And, of course, as everything is chain-listed, huge number of entries may have a big impact on racoon performances. Yvan. |