In current kernel af_key users (ipsec-tools / racoon) is not able to handle more than 100-200 concurrent IPsec connections. The attatched patch is a backport of the upstream commits finxing this: http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.26.git;a=commitdiff;h=83321d6b9872b94604e481a79dc2c8acbe4ece31 http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.26.git;a=commitdiff;h=4c563f7669c10a12354b72b518c2287ffc6ebfb3
Created attachment 145344 [details, diff] linux-2.6.24-large-sasp-dump.patch
The patch also gives significant system performance improvement when there is large amount of ipsec connections.
Did you have to do anything special with those commits to backport them? They both seem to apply cleanly (xfrm one first) but I have not tested compiling or runtime.
(In reply to comment #3) > Did you have to do anything special with those commits to backport them? They > both seem to apply cleanly (xfrm one first) but I have not tested compiling or > runtime. I got the pathes from Timo himself and they are only a rebase to avoid noise about fuzz/diff. He says the raw diffs should work as-is against .24.
ok, compile tested and queued for next release
Fixed in gentoo-sources-2.6.24-r4 (genpatches-2.6.24-5)