[strongSwan] Tuning number of threads etc.

Andreas Steffen andreas.steffen at strongswan.org
Sat Feb 9 09:02:08 CET 2013 

Hi,

the ipsec statusall command shows you the number of threads in actual
use:

  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0

Depending on the plugins you are using, between 8-10 threads are
permanently assigned to certain tasks. With our default of 16 threads
you have about 8 threads available for serving IKE SAs. It makes sense
to have about two threads per core so our default usually is ok for a
quad-core machine. If you have a lot of connections using EAP or XAUTH
based authentication delegated to a RADIUS server or certificate based
authentication using OCSP then we recommend to increase the number of
threads because a lot of them will be in blocking state waiting for
RADIUS or OCSP responses. See also our Job priority management HOWTO

  http://wiki.strongswan.org/projects/strongswan/wiki/JobPriority

which effectively prevents thread attrition.

Memory requirements are about 10kB per SA, so 1000 connections need
10MB of RAM and 10'000 connections 100MB. Thus memory usage is usually
is not a problem and computing power becomes the decisive factor.

If your gateway machine has an Intel processor supporting the AES-NI
instruction set then I recommend to use AES128-GCM authenticated
encryption for ESP since this algorithm can be tremendously accelerated
in hardware. If the VPN client does not support AES-GCM (Windows
Vista/7/8 does) then go for AES128-HMAC-SHA1-96. AES is up to a factor
of 30 faster than 3DES anyway.

Regards

Andreas

On 02/09/2013 01:02 AM, kgardenia42 wrote:
> Hi,
> 
> I am using AWS high-cpu medium instance and I find that when I reach
> around 1000 users I get backlogged connection attempts and users start
> to complain about slow/backlogged connection attempts.  "ipsec status"
>  seems to confirm this.
> 
> Any suggestions on ways to tune this?  Is the number of threads
> significant to this?   The default number of threads is 16.  Is this a
> good number for a quad-core machine?  Is maybe less threads better if
> I only have 4 cores?  I realize I can experiment I just would
> appreciate some "accepted wisdom".
> 
> Am I correct in thinking that when selecting a server that CPU is the
> main factor (rather than memory)?  i.e. the more and faster CPUs the
> better?  I am using AWS high-cpu medium instance I had hoped to get
> more users per instance than 1000.  What are the key things I should
> look at here?
> 
> I had read in the past that setting "esp" to a cheaper cipher may be
> helpful but since I am using IOS devices it seems that they don't want
> to connect if I set a cheaper cipher.  I experimentally set it to the
> NULL cipher "null-sha1!".  is there any logging I can enable to see
> what cipher's a client device supports?
> 
> Any other obvious areas I should look at?
> 
> Thanks.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130209/757347b7/attachment.bin>

More information about the Users mailing list