[strongSwan] Performance issue with 20k IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

Chinmaya Dwibedy ckdwibedy at yahoo.com
Thu Sep 19 12:58:52 CEST 2013 

Hi,
I set the “/proc/sys/net/core/xfrm_acq_expires” to 23000
seconds. I tested with 15k IPsec tunnels successfully without encountering any
issue. While trying to run with 20000 IPsec tunnels without data traffic, it
could able to bring up 19939 tunnels. Checked the SAD count via ip xfrm state
count. Also the IPsec Tunnel Setup was very low.  To bring these 19939 tunnels, it takes 6
hours (approximately). We are using the Gigabit Ethernet link between two high
end systems (One acts as an IKE initiator and another as IKE responder) I cannot
enable logging with 20k IPsec tunnels to debug this issue. Can anyone please
suggest/guide, what are the areas to be looked upon? So that I can scale up with
more numbers of tunnels.  Thanks in advance for your help.
 
Here go our
configurations. Please feel free to let me know if any more information is
needed.
 
IKE initiator 
strongswan.conf
      threads = 32
        replay_window =
32
        dos_protection =
no
        block_threshold=23000
        cookie_threshold=23000
        init_limit_half_open=23000
        init_limit_job_load=23000
        retransmit_timeout=120
        retransmit_tries=90
        install_virtual_ip=no
        install_routes=no
        close_ike_on_child_failure=yes
        ikesa_table_size
= 4096
        ikesa_table_segments = 32
        reuse_ikesa = no
 
 
load-tester {
                   enable = yes
                   initiators = 100
                   iterations = 200
                   delay
= 20
                   responder = 30.30.30.21
                   initiator_tsr =40.0.0.1
                   proposal = aes128-sha1-modp1024
                   initiator_auth = psk
                   responder_auth = psk
                   request_virtual_ip = yes
                   ike_rekey = 0
                   child_rekey = 0
                   delete_after_established = no
                   shutdown_when_complete = no
                  }
 
ipsec.secrets
@srv.strongswan.org %any : PSK "strongSwan"
IKE Responder
strongswan.conf
       threads = 32
        replay_window =
32
        block_threshold=23000
        cookie_threshold=23000
        init_limit_half_open=23000
        half_open_timeout=23000
        init_limit_job_load=23000
        dos_protection =
no
        close_ike_on_child_failure=yes
        ikesa_table_size
= 4096
        ikesa_table_segments = 32
        reuse_ikesa = no
 
ipsec.conf
conn %default
        ikelifetime=24h
        keylife=23h
        rekeymargin=5m
        keyingtries=1
        keyexchange=ikev2
        ike=aes128-sha1-modp1024!
        mobike=no
 
conn gw-gw
        left=30.30.30.21
        leftsubnet=40.0.0.1/8
        rightid=%any
        leftauth=psk
        leftfirewall=yes  
        rightsourceip=10.0.0.0/8
        leftid=@srv.strongswan.org
        rightauth=psk
        type=tunnel
        authby=secret
        rekey=no
        reauth=no
        auto=add
 
ipsec.secrets
@srv.strongswan.org %any : PSK "strongSwan"
 
Regards,
Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130919/49a35dcc/attachment.html>

More information about the Users mailing list