[strongSwan] charon RSA tunnel setup speed hints?

Tobias Brunner tobias at strongswan.org
Thu Aug 16 11:02:29 CEST 2012

Hi Richard,

> Is there a EAP or similar mechanism that can be used to offload RSAsig
> authentication to a AAA server?

If you want to use RSA EAP-TLS might be an option in combination with
the EAP-RADIUS plugin on the gateway (see [1] for an example) to offload
it to an AAA server.  EAP methods that use username/password
authentication might also be an option (or a combination of both with
EAP-TTLS or EAP-PEAP).  It probably depends on what your clients can
actually use.

> Would one of the DB back-ends be faster?

Not at the moment as the SQL query there is too simple (it does not
filter by identities, just enumerates all peer configs).  There is a
TODO in the code there, though, so I'm not sure why it was not yet
implemented with a proper WHERE clause.

> I'm aiming for 20,000 tunnels and 50 auth per sec (peak) on a gateway.

Keeping the config simple in this case would help anyway.  And the
simplest is certainly to sign all client certificates by a common CA (or
intermediate CA).  What's the reason you don't want to do this?


[1] http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tls-radius/

More information about the Users mailing list