[strongSwan] Performance with lots of tunnels and (XFRM) policies
Martin Willi
martin at strongswan.org
Tue Mar 10 14:35:23 CET 2015
Noel,
> I would like to know how the performance of strongswan/Linux is with
> about 1000 established tunnels and ~3000 (XFRM) policies.
I think XFRM policy lookup in the kernel scales fine, handling ~3000
policies shouldn't be a problem at all.
> How much traffic can be forwarded? Is the performance hit because of
> the large number of policies in any way significant?
I don't think so; IPsec throughput is mostly limited by your raw crypto
performance. Of course working on many SAs may reduce the efficiency of
your CPU caches compared to a single SA carrying all the traffic.
In the end you'll have to test your setup on your hardware to get any
useful answers. Given that some strongSwan installations handle ~100'000
tunnels just fine, scaling to 1000 active tunnels is no rocket science.
Regards
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150310/d933a2b4/attachment.pgp>
More information about the Users
mailing list