https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-06-11T00:43:30ZpfSense bugtrackerpfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=544482021-06-11T00:43:30ZViktor Gurov
<ul></ul><p><a class="external" href="https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/279">https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/279</a></p> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=551942021-07-22T08:11:31ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Pull Request Review</i></li><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.6.0</i></li><li><strong>Plus Target Version</strong> set to <i>21.09</i></li></ul> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=552402021-07-26T12:22:52ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>In Progress</i></li></ul><p>I've got some ongoing work I'm doing which is going to conflict with some of that PR. Won't know exactly how badly until I'm finished, but it may not be necessary at all.</p> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=553202021-07-30T12:02:57ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Optimize applying IPsec settings for more than ~30 tunnels</i> to <i>Applying IPsec settings for many tunnels is slow or times out</i></li></ul><p>Updating subject for release notes.</p> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=553212021-07-30T12:45:16ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="IPsec updates to address multiple issues * Configure/apply code changes. * Vast performance in..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/bec6dcfbbef4832b34d47ca60b0671b23dc185d8">bec6dcfbbef4832b34d47ca60b0671b23dc185d8</a>.</p> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=553382021-07-31T00:43:11ZViktor Gurov
<ul></ul><p>Jim Pingle wrote in <a href="#note-5">#note-5</a>:</p>
<blockquote>
<p>Applied in changeset <a class="changeset" title="IPsec updates to address multiple issues * Configure/apply code changes. * Vast performance in..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/bec6dcfbbef4832b34d47ca60b0671b23dc185d8">bec6dcfbbef4832b34d47ca60b0671b23dc185d8</a>.</p>
</blockquote>
<ul>
<li>1. `ipsec_get_phase1_src()` - always executes `get_interface_ip/ipv6`, even if no appropriate protocol is selected<br />- I see a fix for this issue in this commit</li>
</ul>
<ul>
<li>2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication</li>
<li>3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:<br />- but not for these two</li>
</ul> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=553632021-08-02T07:17:59ZJim Pingle
<ul></ul><p>Viktor Gurov wrote in <a href="#note-6">#note-6</a>:</p>
<blockquote>
<ul>
<li>2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication</li>
<li>3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:<br />- but not for these two</li>
</ul>
</blockquote>
<p>I didn't change those as they didn't appear to slow things down in my testing. They were not the primary causes of slowness I observed, anyhow. Though I didn't try with a failed DNS setup.</p>
<p>We can still do those, but they may be better suited for a separate Redmine issues if we decide to implement them. We should only have one change per issue to avoid cases like this where multiple suggestions are put into one place and there isn't a way to track them individually, as really those are separate bugs/optimizations.</p> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=554032021-08-04T00:41:58ZViktor Gurov
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-4 priority-default closed" href="/issues/12195">Bug #12195</a>: IPsec writes CRL files when tunnel does not use certificates</i> added</li></ul> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=554062021-08-04T00:58:32ZViktor Gurov
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-4 priority-default closed" href="/issues/12196">Bug #12196</a>: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available</i> added</li></ul> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=554082021-08-04T01:00:46ZViktor Gurov
<ul></ul><p>New issues: <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: IPsec writes CRL files when tunnel does not use certificates (Resolved)" href="https://redmine.pfsense.org/issues/12195">#12195</a> and <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers... (Resolved)" href="https://redmine.pfsense.org/issues/12196">#12196</a></p> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=562892021-09-09T14:28:55ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>This is all working correctly now on current IPsec code, in my local tests and based on reports from our internal Netgate VPN servers</p> pfSense - Bug #12026: Applying IPsec settings for many tunnels is slow or times outhttps://redmine.pfsense.org/issues/12026?journal_id=570242021-10-27T11:59:34ZJim Pingle
<ul><li><strong>Plus Target Version</strong> changed from <i>21.09</i> to <i>22.01</i></li></ul>