Netgate Blog

IPsec Stability fixes and 1.2-RC4

Some of you might have noticed that a lot of work went into getting IPsec running a bit smoother for large numbers of connections. We would like to take a moment and thank a number of folks for their hard work and for their generous monetary contributions that made these efforts possible.

  1. Heiko Gabe w/ donated significant monetary resources to sponsor these fixes. Heiko has sponsored many projects in pfSense and we are exceptionally grateful for his continued support.

  2. Timo Teräs is a racoon developer and helped correct a few very minor bugs in racoon and worked on improving setkey code in FreeBSD. Timo is a genius and we are absolutely grateful to him for helping us out.

  3. Seth Mos is a pfSense developer and uses IPsec at his work. Seth has been extremely patient and has worked with Timo and Heiko to coordinate, test and get these patches into pfSense.

Now pfSense can handle far more connections than it could when we began. We could barely handle 75 connections at a time then racoon would go into “sbwait” state mode and would wedge. Now we have noticed that 250+ active tunnels can be running simultaneously and everything seems to work great. I would not be surprised to see us being able to handle thousands of tunnels but we still need to test this.

Thanks to everyone involved, our IPsec is far more scalable than what is in FreeBSD itself! Next step is to try and convince the FreeBSD developers to adopt our changes so everyone can win.

Please give everyone above a great round of applause, we really appreciate you guys!!