[strongSwan] Can strongSwan support 100k concurrent connections?

Andreas Steffen andreas.steffen at strongswan.org
Mon Jan 16 13:06:45 CET 2017


Hi Varun,

we have customers who have successfully been running up to 60k
concurrent tunnels. In order to maximize performance please have
a look at the use of hash tables for IKE_SA lookup

   https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable

as well as job priority management

   https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority

We also recommend to use file-based logging since writing to syslog
extremely slows down the charon daemon

   https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

The bottleneck for IKE processing is the Diffie-Hellman key exchange
where 70-80 % of the computing effort is spent. Use the ecp256 or
the new curve25519 (available with strongSwan 5.5.2) DH groups for
maximum performance.

ESP throughput is limited by the number of available cores and the
processor clock frequency. Use aes128gcm16 for maximum performance.

Best regards

Andreas

On 16.01.2017 19:00, Varun Singh wrote:
> Hi,
> As I understand, strongSwan supports scalability from 4.x onwards. I
> am new to strongSwan and to VPN in general.
> I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> Though I have read that strongSwan supports scalability, I couldn't
> find stats to support it.
> Before adopting strongSwan, my team wanted to know *if it can support
> upto 100k simultaneous connections*. Hence I need to find pointers to
> obtain this kind of information.
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170116/86244cec/attachment.bin>


More information about the Users mailing list