[strongSwan] Ballpark number of users and Load balancing
Richard Andrews
richard.andrews at symstream.com
Thu Oct 11 00:37:18 CEST 2012
On Wed, 2012-10-10 at 13:29 +0100, kgardenia42 wrote:
> On Wed, Oct 10, 2012 at 9:23 AM, Richard Andrews
> <richard.andrews at symstream.com> wrote:
> > The biggest bottleneck I've found around number of users involves the
> > peer lookup at IKE authentication time. If you configure static traffic
> > selectors for each individual peer (as I do) then it's a linear search
> > across the set of KNOWN possible peer IDs.
>
> by "selector", I assume you mean "conn foo", "conn bar" etc?
>
> If so then I don't do that. I have all peer ids hanging off one
> selector. I use client certs to autenticate the clients. I allow
> anyone who has a verified client cert to access the VPN. Is this a
> valid configuration? Why would I have many selectors? Would this
> just be to lock it down to specific users?
I need to ensure a static (tunneled) IP address is tied to each
particular identity and pubkey for mobile peers.
If you follow Martin's advice you will achieve much higher scalability
than I reported because you are not constrained in the same manner.
I'm sure it would be appreciated if you could report back your EC2
scalability testing results for others to find in the future.
More information about the Users
mailing list