andy([email protected]) on 2014.02.12 12:22:57 +0000: > Hi, > > I think this is a fairly simple one. > > Our firewalls are growing in complexity and the number of interfaces and > IPs as time goes on, and we recently hit an isakmpd limit. > > When isakmpd starts it tries to bind to *every* single IP on the system. > We have a LOT of IPs and isakmpd now fails to initialise; > 2014-02-12T10:40:29.386318+00:00 brfw1 isakmpd[404]: udp_encap_make: > socket (2, 2, 17): Too many open files > 2014-02-12T10:40:29.386352+00:00 brfw1 isakmpd[404]: virtual_bind_if: > failed to create a socket on 10.2.8.254 > 2014-02-12T10:40:29.386657+00:00 brfw1 isakmpd[404]: virtual_init: could > not bind the ISAKMP port(s) on all interfaces: Too many open files > > More log at bottom.. > > We only want isakmpd to listen on the CARP IP address on the external > interface (and probably the physical IPs on the external interface), not > *all* IPs. > > The work around for now was to add '-4' to the isakmpd daemon to restrict > it to our v4 addresses. However we will very soon have even too many v4 > addresses for isakmpd to cope and so need a way to instruct isakmpd to only > bind the necessary IPs. > > This would also provide a security enhancement?? > > Others have reported this limitation before; > http://www.monkey.org/openbsd/archive2/misc/200502/msg00686.html
maybe this works for you: # cat /etc/isakmpd/isakmpd.conf [General] Listen-on = em0
