[strongSwan] Performance issue with 20k IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

Martin Willi martin at strongswan.org
Thu Sep 19 13:26:40 CEST 2013


>    threads = 32
>    load-tester {
>        initiators = 100

That won't work. As you can read on [1], each initiator is a thread
creating connections. But you have much more initiators configured than
your pool has threads. Likely that your threads all are busy initiating,
but none is processing incoming packets.

Running 100 initiators makes hardly sense. Usually you might need a few
to put load on all your cores for the DH exchange, but more than 10 are
usually not needed.

To find the bottleneck of your setup, you'll have to do some profiling.
First you'll have to check if the initiator or the responder hits some
limits. Use a tool of your choice.

It also might help to use the load-tester command line tool. It gives
you valuable feedback; retransmissions are bad and mean that you hit a
limit either on the initiator or the responder.



More information about the Users mailing list