[strongSwan] Ballpark number of users and Load balancing

kgardenia42 kgardenia42 at googlemail.com
Wed Oct 10 14:29:06 CEST 2012 

On Wed, Oct 10, 2012 at 9:23 AM, Richard Andrews
<richard.andrews at symstream.com> wrote:
> The biggest bottleneck I've found around number of users involves the
> peer lookup at IKE authentication time. If you configure static traffic
> selectors for each individual peer (as I do) then it's a linear search
> across the set of KNOWN possible peer IDs.

by "selector", I assume you mean "conn foo", "conn bar" etc?

If so then I don't do that.  I have all peer ids hanging off one
selector.  I use client certs to autenticate the clients.  I allow
anyone who has a verified client cert to access the VPN.  Is this a
valid configuration?  Why would I have many selectors?  Would this
just be to lock it down to specific users?

I am using the Wiki configuration for IOS clients:
    http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29

Pretty much verbatim.  Is there any compelling options I can use here
to tune the performance for handling a lot of clients?

> I run 5000 clients with 1024b RSA pubkey auth on a 1GB VM guest of a
> 2GHz core i5 machine and peer lookup is around 200ms on average. There
> are ways to minimise authentications and bring load down. There's
> potential to make this faster if I read the code correctly.

Can you give me some pointers/keywords to search for wrt. minimizing
authentications?

I understand that the "esp" setting dictates the level of encryption
on data connections.   Is the default reasonable or should I go for a
cheaper cipher?  What do people normally do?  BTW - my tunneled data
is SSL so I'm happy to use a less strong cipher if that might help
scalability.

> Traffic encryption/decryption is done by the kernel so strongswan has
> limited impact on this.

Good to know.

> Hope this helps

Yes it does.

>
> If the clients are under your control, maybe you could load balance at
> provisioning time by specifying one of the gateway peer addresses at
> random to each new client (or based on smallest client base). Clients
> would stick forever but the load would be split.

Yes I considered that..  Good thought.
Thanks!

>
>
> On Wed, 2012-10-10 at 00:35 +0100, kgardenia42 wrote:
>> Hi,
>>
>> I am using strongswan for mobile clients.
>>
>> Can anyone give me a rough idea of how many clients I can expect (say)
>> an Amazon EC2 large instance to handle.  I searched for benchmarks but
>> found varying/contrasting results.  I found the integrated load test
>> tool docs and intend to run this tomorrow but I am not sure to what
>> extent it emulates *real* users.
>>
>> Does anyone have a ballpark figure for real life users?  I realize it
>> depends on usage but I just am looking for a rough "I won't quote you"
>> ballpark.  Should I roughly expect hundreds?  Or thousands?  Or tens
>> of thousands even?
>>
>> Secondly, I am investigating load balancing possibilities. Ideally I
>> would like a pool of (say) 4 strong-swans all of which can share a
>> load.  I'm not sure if sharing load would mean user stickiness or some
>> shared state across nodes but source ip stickiness would be acceptable
>> I guess.
>>
>> I read this post:
>>     http://www.mail-archive.com/users@lists.strongswan.org/msg03427.html
>>
>> As I see it the second option is not suitable for my use-case.  Right?
>>   The first option sounds rather involved. Will this even work in a
>> cloud (EC2) environment where the LAN IPs are not under my control
>> (unless perhaps VPC).  I'm happy to go down this road if it is the
>> "right thing to do".  Just wanted to see if there were any other
>> approaches to this.
>>
>> Would a traditional load balancer with source address stickiness be a
>> viable solution?  Or is this a flawed approach?
>>
>> Thanks!
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>

More information about the Users mailing list