The length of time the script-based system takes to read ipsec.conf
can become excessive past about 100 tunnels. The following graph shows the speed of the shell/awk-based parsing system:
As can be seen from this benchmark, this is far from ideal for large-scale deployment on concentrator machines. The reason for the poor performance with a large number of tunnels is due to the startup scripts. Openswan will only start the tunnels sequentially. Currently, there are two solutions for avoiding this connection loading problem:
Configure all of your tunnels as
auto=ignore
, start Openswan, and then use a script, similar to that used in the Standard Naming Convention section above, to run throughipsec.conf
executingipsec
auto
–add
$conn
to load each connection. These connections are then loaded in the background, resulting in all connections being loaded in parallel, greatly reducing the start-up time.Use the new C configuration parser written by Arkoon Networks—
ipsec
starter...