[strongSwan] charon RSA tunnel setup speed hints?

Richard Andrews richard.andrews at symstream.com
Wed Aug 15 00:40:41 CEST 2012


On Tue, 2012-08-14 at 12:56 +0200, Tobias Brunner wrote:
> > Having looked at the code. In backend_manager.c there appears to be a
> > linear search through the peer table for candidates matching all the
> > required criteria.
> > 
> > Are there any alternative search implementations for larger peer sets?
> 
> No, currently not.  Even for gateways handling thousands of tunnels a
> few of simple road-warrior configs (right=%any etc.) are usually enough,
> making this lookup very fast.
> The problem in your case is probably that you have a config for each
> client with rightcert=<clientcert> because each client has a self-signed
> certificate.  Issuing all these certificates from a common CA would
> avoid this as only a single connection entry would be required to handle
> all clients.

Using a CA has some significant downsides for me. RSAsig looks the best.

Is there a EAP or similar mechanism that can be used to offload RSAsig
authentication to a AAA server?

Would one of the DB back-ends be faster?

I'm aiming for 20,000 tunnels and 50 auth per sec (peak) on a gateway.






More information about the Users mailing list