[strongSwan] Performance issue with 20k IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

Martin Willi martin at strongswan.org
Wed Sep 25 09:40:00 CEST 2013

> I find, there are lots of retransmissions (as it prints the status of
> the initiation with *character mostly) in console. I know, these are
> certainly considered to be bad. But I have set the retransmit_timeout
> and retransmit_tries to 300 seconds and 300 times respectively, which
> is a huge.

The retransmissions usually indicate that one of the peers is
overloaded. Increasing retransmission timeouts can't solve your
performance limitations; this might help to work around the issues you
see in your lab, but certainly does not resemble what you have on a real
setup. Further, the charon.half_open_timeout strongswan.conf setting
defaulting to 30s will delete the IKE_SA on the responder if it does not
come up within that timeout.

As said before, I think you should focus on finding the bottleneck of
your setup rather than adjusting your client configuration. Use a
profiling tool.


More information about the Users mailing list