<html><body><div style="color:#000; background-color:#fff; font-family:lucida console, sans-serif;font-size:12pt"><div> </div><span><div> </div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Hi Martin,<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Thanks a lot for your valuable
feedback. I modified the strongswan configuration to run 10 threads instead of
100 threads also other parameters. I could able to scale up to 20k ipsec
tunnels without traffic. While trying with 25K IPsec connections, it could
bring up 24855 IPsec connections at both ends (IKE initiator and IKE
responder). In order to debug this issue, I used load-tester command line tool (ipsec
load-tester initiate 25000 30) as mentioned at <a href="http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests">http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests</a>.
I find, there are lots of retransmissions (as it prints the status of the
initiation with *</span><span style='color: rgb(54, 0, 12); line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-ansi-language: EN;'> <span lang="EN">character
</span></span><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>mostly) in console. I know, these are certainly considered
to be bad. But I have set the retransmit_timeout and retransmit_tries to 300
seconds and 300 times respectively, which is a huge. Also checked the CPU usage
of Charon daemon at IKE responder end (through top –p <PID of Charon daemon>)
and found to be less than 20% (mostly). Can you please guide/suggest what might be the issue?
Or profiling to find out the potential bottleneck is the only option left. Few
days ago, I had read in this mailing chain that, handling 70K tunnels should be
doable on a single box if we have high end hardware. </span></div><div><font face="Times New Roman">
</font><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Here goes the configuration<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>IKE Responder<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Strongswan.conf<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'># number of worker threads in
charon<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>threads = 32<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>replay_window = 32<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>lock_threshold=35000<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>cookie_threshold=35000<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;">
</span><span style="mso-spacerun: yes;"> </span>init_limit_half_open=35000<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>half_open_timeout=35000<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>dos_protection = no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>close_ike_on_child_failure=yes<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>ikesa_table_size = 8192<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>ikesa_table_segments = 32<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>reuse_ikesa = no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>ipsec.conf<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>conn %default<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>ikelifetime=24h<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>keylife=23h<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>rekeymargin=5m<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>keyingtries=1<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>keyexchange=ikev2<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>ike=aes128-sha1-modp1024!<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>mobike=no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>conn gw-gw<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>left=30.30.30.21<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>leftsubnet=40.0.0.1/8<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>rightid=%any<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;">
</span>leftauth=psk<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>leftfirewall=yes<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>rightsourceip=10.0.0.0/8<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>leftid=@srv.strongswan.org<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>rightauth=psk<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>type=tunnel<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>authby=secret<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>rekey=no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>reauth=no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>auto=add<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>ipsec.secrets<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>@srv.strongswan.org %any : PSK
"strongSwan"<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>IKE Initiator <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Strongswa.conf<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>threads = 32<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>replay_window = 32<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>dos_protection = no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>block_threshold=35000<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>cookie_threshold=35000<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>init_limit_half_open=35000<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>retransmit_timeout=300<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>retransmit_tries=300<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>install_virtual_ip=no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>install_routes=no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>close_ike_on_child_failure=yes<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>ikesa_table_size = 8192<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>ikesa_table_segments = 32<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>reuse_ikesa = no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>load-tester {<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>enable = yes<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>initiators = 10<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>iterations = 2500<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>delay = 20<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>responder = 30.30.30.21<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>initiator_tsr=40.0.0.1/8<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>proposal =
aes128-sha1-modp1024<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>initiator_auth = psk<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>responder_auth = psk<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>request_virtual_ip = yes<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>ike_rekey = 0<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>child_rekey = 0<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>delete_after_established =
no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>shutdown_when_complete = no<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span>}<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>ipsec.secrets<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>@srv.strongswan.org %any : PSK
"strongSwan"<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Regards,<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Chinmaya<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div></span><div></div><div><br></div> <div style="font-family: lucida console, sans-serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <div class="hr" style="margin: 5px 0px; padding: 0px; border: 1px solid rgb(204, 204, 204); height: 0px; line-height: 0; font-size: 0px;" contenteditable="false" readonly="true"></div> <font face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Martin Willi <martin@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> Chinmaya Dwibedy <ckdwibedy@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, September 19, 2013 4:56 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] Performance issue with 20k IPsec tunnels
(using 5.0.4 strongswan and load-tester plugin)<br> </font> </div> <div class="y_msg_container"><br>Hi,<br><br>> threads = 32<br>> load-tester {<br>> initiators = 100<br><br>That won't work. As you can read on [1], each initiator is a thread<br>creating connections. But you have much more initiators configured than<br>your pool has threads. Likely that your threads all are busy initiating,<br>but none is processing incoming packets.<br><br>Running 100 initiators makes hardly sense. Usually you might need a few<br>to put load on all your cores for the DH exchange, but more than 10 are<br>usually not needed.<br><br>To find the bottleneck of your setup, you'll have to do some profiling.<br>First you'll have to check if the initiator or the responder hits some<br>limits. Use a tool of your choice.<br><br>It also might help to use the load-tester command line tool. It gives<br>you valuable
feedback; retransmissions are bad and mean that you hit a<br>limit either on the initiator or the responder.<br><br>Regards<br>Martin<br><br>[1]<a href="http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests</a><br><br><br><br><br><br><br></div> </div> </div> </div></body></html>