[strongSwan] charon RSA tunnel setup speed hints?
Tobias Brunner
tobias at strongswan.org
Thu Aug 16 11:02:29 CEST 2012
Hi Richard,
> Is there a EAP or similar mechanism that can be used to offload RSAsig
> authentication to a AAA server?
If you want to use RSA EAP-TLS might be an option in combination with
the EAP-RADIUS plugin on the gateway (see [1] for an example) to offload
it to an AAA server. EAP methods that use username/password
authentication might also be an option (or a combination of both with
EAP-TTLS or EAP-PEAP). It probably depends on what your clients can
actually use.
> Would one of the DB back-ends be faster?
Not at the moment as the SQL query there is too simple (it does not
filter by identities, just enumerates all peer configs). There is a
TODO in the code there, though, so I'm not sure why it was not yet
implemented with a proper WHERE clause.
> I'm aiming for 20,000 tunnels and 50 auth per sec (peak) on a gateway.
Keeping the config simple in this case would help anyway. And the
simplest is certainly to sign all client certificates by a common CA (or
intermediate CA). What's the reason you don't want to do this?
Regards,
Tobias
[1] http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tls-radius/
More information about the Users
mailing list