[strongSwan] High Scale VPN deployment recommendation?
ms at sys4.de
Wed Nov 16 08:35:36 CET 2016
Am Dienstag, 15. November 2016, 16:55:45 schrieb Hal Logan:
> I'm putting a config together for a server that will have as many as 10,000
> concurrent VPN connections running to it. Client will be OpenWRT Chaos
> Calmer, server will be a highly modified CentOS. Both ends will be running
> StrongSwan u5.3.5. The clients will be running split tunnel connections.
> I've looked for case studies, references, or recommendations for
> configuration approaches that specifically reference high scale design but
> haven't found any.
> For the server side, when routing traffic from the tunnels to other network
> resources is it generally more resource intensive to do that routing in the
> kernel, or would one expect lower utilization doing PBR or a road
> warrior-type approach?
> Any insight or suggestions are appreciated. If it helps the community I'm
> glad to provide hardware specs and performance benchmarks over time.
> Cheers and thank you,
I would suggest to put the server(s) behind a loadbalancer. So you can scale
better on the server side.
Your loadbalancer has to be able to balancer IKE and ESP together, i.e.
forward the client always to the same server. Give LVS a try. You would have
to use IP address pools distributed from the servers to enable the route back
to the client via the different servers.
Normally the crypto operations per second limit the performance. If you use a
CPU that does crypto operations in hardware please google for the performance
data / throughput of that CPU. Also the kernel has to support that hardware
encrption. But all modern kernels do that. Of course hardware enryption if
only possible if you do not have "top secret" traffic and trust the hardware
Also have an eye on the VPN setup rate. Establishing a VPN link needs
performance ,so you would like to have as few renegitiations per second as
If you have 10k clients and a tunnel lifetime of 3600 sec, you would have
about 3 IPsec SA negotioations per sec. That sounds reasonable.
Mit freundlichen Grüßen,
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 230 bytes
Desc: This is a digitally signed message part.
More information about the Users