[strongSwan] Can strongSwan support 100k concurrent connections?
Andreas Steffen
andreas.steffen at strongswan.org
Mon Jan 16 14:33:33 CET 2017
On 16.01.2017 20:39, Varun Singh wrote:
> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>> Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>>> Hi Varun,
>>>
>>> we have customers who have successfully been running up to 60k
>>> concurrent tunnels. In order to maximize performance please have
>>> a look at the use of hash tables for IKE_SA lookup
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>>>
>>> as well as job priority management
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>>>
>>> We also recommend to use file-based logging since writing to syslog
>>> extremely slows down the charon daemon
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>>
>>> The bottleneck for IKE processing is the Diffie-Hellman key exchange
>>> where 70-80 % of the computing effort is spent. Use the ecp256 or
>>> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>>> maximum performance.
>>>
>>> ESP throughput is limited by the number of available cores and the
>>> processor clock frequency. Use aes128gcm16 for maximum performance.
>>>
>>> Best regards
>>>
>>> Andreas
>>>
>>> On 16.01.2017 19:00, Varun Singh wrote:
>>>> Hi,
>>>> As I understand, strongSwan supports scalability from 4.x onwards. I
>>>> am new to strongSwan and to VPN in general.
>>>> I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>>>> Though I have read that strongSwan supports scalability, I couldn't
>>>> find stats to support it.
>>>> Before adopting strongSwan, my team wanted to know *if it can support
>>>> upto 100k simultaneous connections*. Hence I need to find pointers to
>>>> obtain this kind of information.
>>
>> hi,
>>
>> I think further scaling might be possible with loadbalancers. But this is
>> topic of deeper investigation of the project.
>>
>> Mit freundlichen Grüßen,
>>
>> Michael Schwartzkopff
>>
>> --
>> [*] sys4 AG
>>
>> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> Schleißheimer Straße 26/MG, 80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> Aufsichtsratsvorsitzender: Florian Kirstein
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> Thanks Michael,
> I was just searching whether load balancing is supported by strongSwan
> or not. Came across this thread:
> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>
> But this didn't lead to any conclusion.
> So is load balancing supported by strongSwan?
>
Have a look at strongSwan's High Availability (HA) solution
https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
which can be run in an active-active mode where the load-balancing
is achieved by Cluster IP.
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170116/f5cf68f4/attachment.bin>
More information about the Users
mailing list