[strongSwan] strongswan limits

Martin Willi martin at strongswan.org
Tue Dec 14 16:59:07 CET 2010

Hi Omar,

> -Do you have any idea about what would be the limits (throuput,
> sessions/sec) of a Strongswan installation using a Quad Xeon 2.2Ghz,
> 4Gb RAM + Debian 5? Any idea about how to measure it?

IKE (and ESP) tunnel setup rate is mostly limited by your asymmetric
crypto performance, we have some numbers at [1]. We did some upscaling
work for up to 20K concurrent IKE+ESP tunnels, you'll find more
information about the tools at [2].

Raw ESP data throughput depends on packet size, and most Kernels are
limited to a single core (somewhere between ~200-500 Mbit/s on your
CPU?). With a kernel supporting IPsec processing on multiple cores, it
might be possible to saturate a 1Gbit link.

TCP session setup is not directly related to IPsec processing and
depends on what you're doing with these sessions on the gateway
(connection tracking, firewalling, ...).



More information about the Users mailing list