Project

General

Profile

Actions

Bug #12026

closed

Applying IPsec settings for many tunnels is slow or times out

Added by Viktor Gurov 5 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
06/11/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

This is an additional optimization for #11795:

1. `ipsec_get_phase1_src()` - always executes `get_interface_ip/ipv6`, even if no appropriate protocol is selected
2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:

# trying to resolve non-existent "agdfasdfsdf.netgate.com":
# time php -f resolve50retries.php
0.176u 0.047s 0:18.14 1.1%    4588+402k 91+0io 0pf+0w
# time php -f resolve10retries.php
0.136u 0.045s 0:03.36 5.0%    3968+364k 51+0io 0pf+0w


Related issues

Related to Bug #12195: IPsec writes CRL files when tunnel does not use certificatesResolvedViktor Gurov

Actions
Related to Bug #12196: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers availableResolvedViktor Gurov

Actions
Actions #2

Updated by Jim Pingle 3 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Jim Pingle
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09
Actions #3

Updated by Jim Pingle 3 months ago

  • Status changed from Pull Request Review to In Progress

I've got some ongoing work I'm doing which is going to conflict with some of that PR. Won't know exactly how badly until I'm finished, but it may not be necessary at all.

Actions #4

Updated by Jim Pingle 3 months ago

  • Subject changed from Optimize applying IPsec settings for more than ~30 tunnels to Applying IPsec settings for many tunnels is slow or times out

Updating subject for release notes.

Actions #5

Updated by Jim Pingle 3 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Viktor Gurov 3 months ago

Jim Pingle wrote in #note-5:

Applied in changeset bec6dcfbbef4832b34d47ca60b0671b23dc185d8.

  • 1. `ipsec_get_phase1_src()` - always executes `get_interface_ip/ipv6`, even if no appropriate protocol is selected
    - I see a fix for this issue in this commit
  • 2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
  • 3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
    - but not for these two
Actions #7

Updated by Jim Pingle 3 months ago

Viktor Gurov wrote in #note-6:

  • 2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
  • 3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
    - but not for these two

I didn't change those as they didn't appear to slow things down in my testing. They were not the primary causes of slowness I observed, anyhow. Though I didn't try with a failed DNS setup.

We can still do those, but they may be better suited for a separate Redmine issues if we decide to implement them. We should only have one change per issue to avoid cases like this where multiple suggestions are put into one place and there isn't a way to track them individually, as really those are separate bugs/optimizations.

Actions #8

Updated by Viktor Gurov 3 months ago

  • Related to Bug #12195: IPsec writes CRL files when tunnel does not use certificates added
Actions #9

Updated by Viktor Gurov 3 months ago

  • Related to Bug #12196: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available added
Actions #10

Updated by Viktor Gurov 3 months ago

New issues: #12195 and #12196

Actions #11

Updated by Jim Pingle about 2 months ago

  • Status changed from Feedback to Resolved

This is all working correctly now on current IPsec code, in my local tests and based on reports from our internal Netgate VPN servers

Actions

Also available in: Atom PDF