[strongSwan] Test with lots of concurrent connections
Martin Willi
martin at strongswan.org
Mon Mar 31 12:51:06 CEST 2014
Steffen,
> - Are there generally things I should consider from the beginning that
> will limit the amount of connections handled by strongswan?
The number of simultaneous connections is mostly limited by the
available RAM on your system. We did some memory optimizations recently,
depending on your configuration you'll need a few (3-8?) KB of memory
for each IKE_SA+CHILD_SA pair.
The connection rate is mostly limited by public key cryptography, namely
the Diffie-Hellman exchange. You'll need to find a good compromise
between speed and security; ECDH is certainly preferable, see [1].
> - Did someone build a test scenario that tests such amounts of clients?
> If so, are you willing to share ideas or even code? (I am thinking
> about using linux lxc containers on multiple machines with lots of
> memory.... - any better ideas?)
To perform load-tests, it is not necessarily required to have dedicated
client installations. A single (or a few) clients can create many SAs to
put a tested installation under load. The load-tester [2] plugin does
so, you certainly should take a look at it. It doesn't generate/test the
data path, but IKE exchanges only. But sounds like this is what you are
looking for anyway.
For some optimization tricks, have a look at [3], and more advanced
stuff on [4]. Logging [5] can affect performance significantly as well.
Having the data structures configured properly should allow charon to
scale nicely with SAs and CPU cores.
Regards
Martin
[1]https://wiki.strongswan.org/projects/strongswan/wiki/PublicKeySpeed
[2]https://wiki.strongswan.org/projects/strongswan/wiki/LoadTests
[3]https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
[4]https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
[5]https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration#Performance-consideration
More information about the Users
mailing list