Bug #12026
closed
Applying IPsec settings for many tunnels is slow or times out
Added by Viktor Gurov over 3 years ago.
Updated about 3 years ago.
Plus Target Version:
22.01
Description
This is an additional optimization for #11795:
1. `ipsec_get_phase1_src()` - always executes `get_interface_ip/ipv6`, even if no appropriate protocol is selected
2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
# trying to resolve non-existent "agdfasdfsdf.netgate.com":
# time php -f resolve50retries.php
0.176u 0.047s 0:18.14 1.1% 4588+402k 91+0io 0pf+0w
# time php -f resolve10retries.php
0.136u 0.045s 0:03.36 5.0% 3968+364k 51+0io 0pf+0w
- Status changed from New to Pull Request Review
- Assignee set to Jim Pingle
- Target version set to 2.6.0
- Plus Target Version set to 21.09
- Status changed from Pull Request Review to In Progress
I've got some ongoing work I'm doing which is going to conflict with some of that PR. Won't know exactly how badly until I'm finished, but it may not be necessary at all.
- Subject changed from Optimize applying IPsec settings for more than ~30 tunnels to Applying IPsec settings for many tunnels is slow or times out
Updating subject for release notes.
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Jim Pingle wrote in #note-5:
Applied in changeset bec6dcfbbef4832b34d47ca60b0671b23dc185d8.
- 1. `ipsec_get_phase1_src()` - always executes `get_interface_ip/ipv6`, even if no appropriate protocol is selected
- I see a fix for this issue in this commit
- 2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
- 3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
- but not for these two
Viktor Gurov wrote in #note-6:
- 2. `ipsec_setup_secrets()` - always writes CRL files, even if there is no PH1 cert authentication
- 3. `resolve_retry()` - set `$retries = 10` it can significantly improve FQDN resolution time:
- but not for these two
I didn't change those as they didn't appear to slow things down in my testing. They were not the primary causes of slowness I observed, anyhow. Though I didn't try with a failed DNS setup.
We can still do those, but they may be better suited for a separate Redmine issues if we decide to implement them. We should only have one change per issue to avoid cases like this where multiple suggestions are put into one place and there isn't a way to track them individually, as really those are separate bugs/optimizations.
- Related to Bug #12195: IPsec writes CRL files when tunnel does not use certificates added
- Related to Bug #12196: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available added
- Status changed from Feedback to Resolved
This is all working correctly now on current IPsec code, in my local tests and based on reports from our internal Netgate VPN servers
- Plus Target Version changed from 21.09 to 22.01
Also available in: Atom
PDF
Updated by Viktor Gurov 
Updated by