[strongSwan] Can strongSwan support 100k concurrent connections?

Mon Jan 16 13:48:09 CET 2017

Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> >> Hi Varun,
> >> 
> >> we have customers who have successfully been running up to 60k
> >> concurrent tunnels. In order to maximize performance please have
> >> a look at the use of hash tables for IKE_SA lookup
> >> 
> >>    https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> >> 
> >> as well as job priority management
> >> 
> >>    https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> >> 
> >> We also recommend to use file-based logging since writing to syslog
> >> extremely slows down the charon daemon
> >> 
> >>    https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigurati
> >>    on
> >> 
> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange
> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> >> maximum performance.
> >> 
> >> ESP throughput is limited by the number of available cores and the
> >> processor clock frequency. Use aes128gcm16 for maximum performance.
> >> 
> >> Best regards
> >> 
> >> Andreas
> >> 
> >> On 16.01.2017 19:00, Varun Singh wrote:
> >> > Hi,
> >> > As I understand, strongSwan supports scalability from 4.x onwards. I
> >> > am new to strongSwan and to VPN in general.
> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> >> > Though I have read that strongSwan supports scalability, I couldn't
> >> > find stats to support it.
> >> > Before adopting strongSwan, my team wanted to know *if it can support
> >> > upto 100k simultaneous connections*. Hence I need to find pointers to
> >> > obtain this kind of information.
> > 
> > hi,
> > 
> > I think further scaling might be possible with loadbalancers. But this is
> > topic of deeper investigation of the project.
> > 
> > Mit freundlichen Grüßen,
> > 
> > Michael Schwartzkopff
> > 
> > --
> > [*] sys4 AG
> > 
> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> > Schleißheimer Straße 26/MG, 80333 München
> > 
> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> > Aufsichtsratsvorsitzender: Florian Kirstein
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> 
> Thanks Michael,
> I was just searching whether load balancing is supported by strongSwan
> or not. Came across this thread:
> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
> 
> But this didn't lead to any conclusion.
> So is load balancing supported by strongSwan?

if you use LVS before the VPN server does not know about the load balancing. 
You would have to find a solution for the reverse traffic, i.e. IP pools on the 
VPN server.

LVS offers a feature to do loadbalancing with firewall marks. This might be 
nescessary for balancing IKE and ESP together.

I don't know if a SA sync between strongswan servers is possible.

But anyway: This setup shold be designed and tested very carefully.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170116/4924dac1/attachment.sig>