[strongSwan] [strongSwan-dev] strongswan performance

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 6 10:03:44 CET 2013

Hi Victor,

have a look at Intel's 2010 whitepaper on AES-NI IPsec performance:




On 06.03.2013 09:10, Martin Willi wrote:
> Hi Victor,
>> How many IPsec VPN tunnels can strongswan handle?
> I don't have much experience with upscaling our new (5.x) IKEv1
> implementation in charon yet. However, it uses the same architecture as
> IKEv2, which can handle several ten thousand tunnels when configured
> properly.
>> What maximum speed rate can it handle in one tunnel or in all 50 tunnels for
>> example under Linux/FreeBSD?
>> I have modern Supermicro server with Xeon 3.0GHz and 4 Gig RAM
> I don't have much experience with FreeBSD. On Linux, by default IPsec
> processing runs on a single core only, which limits throughput to a few
> hundred MBit/s. It doesn't really matter if this is for a single or for
> 50 tunnels.
> If you need more, you might consider using AES-NI acceleration if
> possible, or switch to parallel crypto processing. There is a good paper
> about the parallelization work from Steffen Klassert with some numbers
> at [1].
> Regards
> Martin
> [1]http://www.strongswan.org/docs/Steffen_Klassert_Parallelizing_IPsec.pdf
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130306/a74b0ee0/attachment.bin>

More information about the Users mailing list