[strongSwan] Ballpark number of users and Load balancing
Richard Andrews
richard.andrews at symstream.com
Wed Oct 10 10:23:09 CEST 2012
The biggest bottleneck I've found around number of users involves the
peer lookup at IKE authentication time. If you configure static traffic
selectors for each individual peer (as I do) then it's a linear search
across the set of KNOWN possible peer IDs.
I run 5000 clients with 1024b RSA pubkey auth on a 1GB VM guest of a
2GHz core i5 machine and peer lookup is around 200ms on average. There
are ways to minimise authentications and bring load down. There's
potential to make this faster if I read the code correctly.
Traffic encryption/decryption is done by the kernel so strongswan has
limited impact on this.
Hope this helps
If the clients are under your control, maybe you could load balance at
provisioning time by specifying one of the gateway peer addresses at
random to each new client (or based on smallest client base). Clients
would stick forever but the load would be split.
On Wed, 2012-10-10 at 00:35 +0100, kgardenia42 wrote:
> Hi,
>
> I am using strongswan for mobile clients.
>
> Can anyone give me a rough idea of how many clients I can expect (say)
> an Amazon EC2 large instance to handle. I searched for benchmarks but
> found varying/contrasting results. I found the integrated load test
> tool docs and intend to run this tomorrow but I am not sure to what
> extent it emulates *real* users.
>
> Does anyone have a ballpark figure for real life users? I realize it
> depends on usage but I just am looking for a rough "I won't quote you"
> ballpark. Should I roughly expect hundreds? Or thousands? Or tens
> of thousands even?
>
> Secondly, I am investigating load balancing possibilities. Ideally I
> would like a pool of (say) 4 strong-swans all of which can share a
> load. I'm not sure if sharing load would mean user stickiness or some
> shared state across nodes but source ip stickiness would be acceptable
> I guess.
>
> I read this post:
> http://www.mail-archive.com/users@lists.strongswan.org/msg03427.html
>
> As I see it the second option is not suitable for my use-case. Right?
> The first option sounds rather involved. Will this even work in a
> cloud (EC2) environment where the LAN IPs are not under my control
> (unless perhaps VPC). I'm happy to go down this road if it is the
> "right thing to do". Just wanted to see if there were any other
> approaches to this.
>
> Would a traditional load balancer with source address stickiness be a
> viable solution? Or is this a flawed approach?
>
> Thanks!
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list