[strongSwan] strongswan limits

Alexander Wilms alex.wilms at adminguru.org
Tue Dec 14 20:00:01 CET 2010

Hi Omar, hi Martin,

we are in front of the challenge to saturate 4x 1 Gbit/s Links with IPsec and found this whitepaper:


As conclusion:

You need a newer Xeon with aes-ni instruction set, a very recent kernel including the Intel module patches for these instructions, and maybe a RFS capable NIC. Read also:


----- Ursprüngliche Mail -----
Von: "Martin Willi" <martin at strongswan.org>
An: "Omar Armas" <omar.armas at gmail.com>
CC: users at lists.strongswan.org
Gesendet: Dienstag, 14. Dezember 2010 16:59:07
Betreff: Re: [strongSwan] strongswan limits

Hi Omar,

> -Do you have any idea about what would be the limits (throuput,
> sessions/sec) of a Strongswan installation using a Quad Xeon 2.2Ghz,
> 4Gb RAM + Debian 5? Any idea about how to measure it?

IKE (and ESP) tunnel setup rate is mostly limited by your asymmetric
crypto performance, we have some numbers at [1]. We did some upscaling
work for up to 20K concurrent IKE+ESP tunnels, you'll find more
information about the tools at [2].

Raw ESP data throughput depends on packet size, and most Kernels are
limited to a single core (somewhere between ~200-500 Mbit/s on your
CPU?). With a kernel supporting IPsec processing on multiple cores, it
might be possible to saturate a 1Gbit link.

TCP session setup is not directly related to IPsec processing and
depends on what you're doing with these sessions on the gateway
(connection tracking, firewalling, ...).



Users mailing list
Users at lists.strongswan.org

More information about the Users mailing list