[strongSwan] can large number of TS or xfrm cause slowness

SM K sacho.polo at gmail.com
Thu Dec 4 20:27:38 CET 2014


I am running some scalibility tests with ike2 where the responder uses many
traffic selectors (around 35 of them defined in rightsubnet) to narrow down
the client traffic. I see that the responder gets slow and the tests start
failing after say 250 tunnels. If I open up the rightsubnet to, i
can pump in a tunnels in the thousands. I am debugging this further, but I
would like to know if anyone has experienced something like this. Each of
the subnet in the TS sets up an xfrm policy, and I wonder if it is the xfrm
lookup that is getting slow as the number of tunnels increase.

