[strongSwan] High Scale VPN deployment recommendation?

Wed Nov 16 08:35:36 CET 2016

Am Dienstag, 15. November 2016, 16:55:45 schrieb Hal Logan:
> Hello,
> 
> I'm putting a config together for a server that will have as many as 10,000
> concurrent VPN connections running to it. Client will be OpenWRT Chaos
> Calmer, server will be a highly modified CentOS. Both ends will be running
> StrongSwan u5.3.5. The clients will be running split tunnel connections.
> I've looked for case studies, references, or recommendations for
> configuration approaches that specifically reference high scale design but
> haven't found any.
> 
> For the server side, when routing traffic from the tunnels to other network
> resources is it generally more resource intensive to do that routing in the
> kernel, or would one expect lower utilization doing PBR or a road
> warrior-type approach?
> 
> Any insight or suggestions are appreciated. If it helps the community I'm
> glad to provide hardware specs and performance benchmarks over time.
> 
> Cheers and thank you,
> Hal

I would suggest to put the server(s) behind a loadbalancer. So you can scale 
better on the server side.

Your loadbalancer has to be able to balancer IKE and ESP together, i.e. 
forward the client always to the same server. Give LVS a try. You would have 
to use IP address pools distributed from the servers to enable the route back 
to the client via the different servers.

Normally the crypto operations per second limit the performance. If you use a 
CPU that does crypto operations in hardware please google for the performance 
data / throughput of that CPU. Also the kernel has to support that hardware 
encrption. But all modern kernels do that. Of course hardware enryption if 
only possible if you do not have "top secret" traffic and trust the hardware 
vendors.

Also have an eye on the VPN setup rate. Establishing a VPN link needs 
performance ,so you would like to have as few renegitiations per second as 
possible.

If you have 10k clients and a tunnel lifetime of 3600 sec, you would have 
about 3 IPsec SA negotioations per sec. That sounds reasonable.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161116/3b748632/attachment.sig>