[strongSwan-dev] [strongSwan] strongswan performance

Martin Willi martin at strongswan.org
Wed Mar 6 09:10:33 CET 2013

Hi Victor,

> How many IPsec VPN tunnels can strongswan handle?

I don't have much experience with upscaling our new (5.x) IKEv1
implementation in charon yet. However, it uses the same architecture as
IKEv2, which can handle several ten thousand tunnels when configured

> What maximum speed rate can it handle in one tunnel or in all 50 tunnels for
> example under Linux/FreeBSD?

> I have modern Supermicro server with Xeon 3.0GHz and 4 Gig RAM

I don't have much experience with FreeBSD. On Linux, by default IPsec
processing runs on a single core only, which limits throughput to a few
hundred MBit/s. It doesn't really matter if this is for a single or for
50 tunnels.

If you need more, you might consider using AES-NI acceleration if
possible, or switch to parallel crypto processing. There is a good paper
about the parallelization work from Steffen Klassert with some numbers
at [1].



More information about the Dev mailing list