[strongSwan] strongswan limits
Alexander Wilms
alex.wilms at adminguru.org
Tue Dec 14 20:00:01 CET 2010
Hi Omar, hi Martin,
we are in front of the challenge to saturate 4x 1 Gbit/s Links with IPsec and found this whitepaper:
http://download.intel.com/design/intarch/papers/324238.pdf
As conclusion:
You need a newer Xeon with aes-ni instruction set, a very recent kernel including the Intel module patches for these instructions, and maybe a RFS capable NIC. Read also:
http://lwn.net/Articles/382428/
HTH,
Alex
----- Ursprüngliche Mail -----
Von: "Martin Willi" <martin at strongswan.org>
An: "Omar Armas" <omar.armas at gmail.com>
CC: users at lists.strongswan.org
Gesendet: Dienstag, 14. Dezember 2010 16:59:07
Betreff: Re: [strongSwan] strongswan limits
Hi Omar,
> -Do you have any idea about what would be the limits (throuput,
> sessions/sec) of a Strongswan installation using a Quad Xeon 2.2Ghz,
> 4Gb RAM + Debian 5? Any idea about how to measure it?
IKE (and ESP) tunnel setup rate is mostly limited by your asymmetric
crypto performance, we have some numbers at [1]. We did some upscaling
work for up to 20K concurrent IKE+ESP tunnels, you'll find more
information about the tools at [2].
Raw ESP data throughput depends on packet size, and most Kernels are
limited to a single core (somewhere between ~200-500 Mbit/s on your
CPU?). With a kernel supporting IPsec processing on multiple cores, it
might be possible to saturate a 1Gbit link.
TCP session setup is not directly related to IPsec processing and
depends on what you're doing with these sessions on the gateway
(connection tracking, firewalling, ...).
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/PublicKeySpeed
[2]http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list