Description of problem: Some customers use more than the standard 1024 file descriptors. This is a particular problem for racoons IKE daemon binds to each of them separately at least once for its IKE ports. Unfortunately this is more then the FD_SETSIZE limit for select(). I believe that this can be changed by using poll/epoll, however that would fall into the feature request more so than a bug fix. Version-Release number of selected component (if applicable): ipsec-tools-0.6.5-13.el5_3.1.src.rpm How reproducible: Every time. Steps to Reproduce: 1. Configure racoon to setup 3000 rules for 3000 different ip addresses for IKE 2. Start racoon 3. Wait. Actual results: 2009-08-25 10:53:21: INFO: fe80::21e:bff:fed1:44bc%bond0[500] used as isakmp port (fd=6114) 2009-08-25 10:53:21: INFO: fe80::fcff:ffff:feff:ffff%vif0.1[500] used as isakmp port (fd=6115) 2009-08-25 10:53:21: INFO: fe80::21e:bff:fed1:44be%bond1[500] used as isakmp port (fd=6116) 2009-08-25 10:53:21: INFO: fe80::200:ff:fe00:0%virbr0[500] used as isakmp port (fd=6117) 2009-08-25 10:53:21: ERROR: fd_set overrun Expected results: IKE to continue and finish. Additional info: I had previous attempted to modify FD_SETSIZE in a test program with a define, however this didn't seem to work in my application therefore I assume that with racoon being considerably more complicated it would not work either.
This would require substantial changes to racoon implementation and it would have to be accepted by upstream first. Could the customer try to use openswan instead of ipsec-tools given that openswan is the preferred IKE solution in RHEL?
Tomas Your comment 1 startled me. Where is this docoed as to 'preferred' applications when multiples exist? I can get an opened case thru a TAC of course for the answer, but if you know off the top of your head, I'd appreciate it -- Russ herrold
I don't know if this is documented anywhere. It's just that openswan was recently added to RHEL-5 as it supports the Linux kernel interfaces for setting the IPSEC policies better and its design is probably more robust.
Thank you, Tomas for your reply
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
We currently do not plan to fix this issue in Red Hat Enterprise Linux 5.