Bug #12026
closed
Applying IPsec settings for many tunnels is slow or times out
100%
Description
This is an additional optimization for #11795:
1. `ipsec_get_phase1_src()` - always executes `get_interface_ip/ipv6`, even if no appropriate protocol is selected
2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
# trying to resolve non-existent "agdfasdfsdf.netgate.com": # time php -f resolve50retries.php 0.176u 0.047s 0:18.14 1.1% 4588+402k 91+0io 0pf+0w # time php -f resolve10retries.php 0.136u 0.045s 0:03.36 5.0% 3968+364k 51+0io 0pf+0w
Related issues
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Jim Pingle
- Target version set to 2.6.0
- Plus Target Version set to 21.09
Updated by Jim Pingle over 3 years ago
- Status changed from Pull Request Review to In Progress
I've got some ongoing work I'm doing which is going to conflict with some of that PR. Won't know exactly how badly until I'm finished, but it may not be necessary at all.
Updated by Jim Pingle over 3 years ago
- Subject changed from Optimize applying IPsec settings for more than ~30 tunnels to Applying IPsec settings for many tunnels is slow or times out
Updating subject for release notes.
Updated by Jim Pingle over 3 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset bec6dcfbbef4832b34d47ca60b0671b23dc185d8.
Updated by Viktor Gurov over 3 years ago
Jim Pingle wrote in #note-5:
Applied in changeset bec6dcfbbef4832b34d47ca60b0671b23dc185d8.
- 1. `ipsec_get_phase1_src()` - always executes `get_interface_ip/ipv6`, even if no appropriate protocol is selected
- I see a fix for this issue in this commit
- 2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
- 3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
- but not for these two
Updated by Jim Pingle over 3 years ago
Viktor Gurov wrote in #note-6:
- 2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
- 3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
- but not for these two
I didn't change those as they didn't appear to slow things down in my testing. They were not the primary causes of slowness I observed, anyhow. Though I didn't try with a failed DNS setup.
We can still do those, but they may be better suited for a separate Redmine issues if we decide to implement them. We should only have one change per issue to avoid cases like this where multiple suggestions are put into one place and there isn't a way to track them individually, as really those are separate bugs/optimizations.
Updated by Viktor Gurov over 3 years ago
- Related to Bug #12195: IPsec writes CRL files when tunnel does not use certificates added
Updated by Viktor Gurov over 3 years ago
- Related to Bug #12196: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available added
Updated by Jim Pingle about 3 years ago
- Status changed from Feedback to Resolved
This is all working correctly now on current IPsec code, in my local tests and based on reports from our internal Netgate VPN servers
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01