Try to increase the buffer size of the pfkey socket, this may help things when we have a huge SPD

crypto/dist/ipsec-tools/ChangeLog

@@ -1,3 +1,7 @@
+2007-10-15  Yvan Vanhullebus  <vanhu@netasq.com>
+	* src/libipsec/pfkey.c: Try to increase the buffer size of the
+	  pfkey socket, this may help things when we have a huge SPD.
+
 2007-10-02  Yvan Vanhullebus  <vanhu@netasq.com>
 	From Scott Lamb <slamb@slamb.org>
 	* src/racoon/plog.[ch]: new plog macro

crypto/dist/ipsec-tools/src/libipsec/pfkey.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: pfkey.c,v 1.14 2007/07/18 12:07:50 vanhu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.15 2007/10/15 16:05:01 vanhu Exp $	*/
 
 /*	$KAME: pfkey.c,v 1.47 2003/10/02 19:52:12 itojun Exp $	*/
 
@@ -1788,7 +1788,7 @@ int
 pfkey_open()
 {
 	int so;
-	const int bufsiz = 128 * 1024;	/*is 128K enough?*/
+	int bufsiz = 128 * 1024;	/*is 128K enough?*/
 
 	if ((so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0) {
 		__ipsec_set_strerror(strerror(errno));
@@ -1801,7 +1801,12 @@ pfkey_open()
 	 */
 	(void)setsockopt(so, SOL_SOCKET, SO_SNDBUF, &bufsiz, sizeof(bufsiz));
 	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
-
+	bufsiz = 256 * 1024;
+	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
+	bufsiz = 512 * 1024;
+	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
+	bufsiz = 1024 * 1024;
+	(void)setsockopt(so, SOL_SOCKET, SO_RCVBUF, &bufsiz, sizeof(bufsiz));
 	__ipsec_errcode = EIPSEC_NO_ERROR;
 	return so;
 }