[strongSwan] strongswan limits

Alexander Wilms alex.wilms at adminguru.org
Tue Dec 14 20:00:01 CET 2010


Hi Omar, hi Martin,

we are in front of the challenge to saturate 4x 1 Gbit/s Links with IPsec and found this whitepaper:

http://download.intel.com/design/intarch/papers/324238.pdf

As conclusion:

You need a newer Xeon with aes-ni instruction set, a very recent kernel including the Intel module patches for these instructions, and maybe a RFS capable NIC. Read also:
http://lwn.net/Articles/382428/

HTH,
Alex




----- Ursprüngliche Mail -----
Von: "Martin Willi" <martin at strongswan.org>
An: "Omar Armas" <omar.armas at gmail.com>
CC: users at lists.strongswan.org
Gesendet: Dienstag, 14. Dezember 2010 16:59:07
Betreff: Re: [strongSwan] strongswan limits

Hi Omar,

> -Do you have any idea about what would be the limits (throuput,
> sessions/sec) of a Strongswan installation using a Quad Xeon 2.2Ghz,
> 4Gb RAM + Debian 5? Any idea about how to measure it?

IKE (and ESP) tunnel setup rate is mostly limited by your asymmetric
crypto performance, we have some numbers at [1]. We did some upscaling
work for up to 20K concurrent IKE+ESP tunnels, you'll find more
information about the tools at [2].

Raw ESP data throughput depends on packet size, and most Kernels are
limited to a single core (somewhere between ~200-500 Mbit/s on your
CPU?). With a kernel supporting IPsec processing on multiple cores, it
might be possible to saturate a 1Gbit link.

TCP session setup is not directly related to IPsec processing and
depends on what you're doing with these sessions on the gateway
(connection tracking, firewalling, ...).

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/PublicKeySpeed
[2]http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests



_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list