[strongSwan] Can strongSwan support 100k concurrent connections?

Michael Schwartzkopff ms at sys4.de
Mon Jan 16 13:34:46 CET 2017


Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> Hi Varun,
> 
> we have customers who have successfully been running up to 60k
> concurrent tunnels. In order to maximize performance please have
> a look at the use of hash tables for IKE_SA lookup
> 
>    https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> 
> as well as job priority management
> 
>    https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> 
> We also recommend to use file-based logging since writing to syslog
> extremely slows down the charon daemon
> 
>    https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
> 
> The bottleneck for IKE processing is the Diffie-Hellman key exchange
> where 70-80 % of the computing effort is spent. Use the ecp256 or
> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> maximum performance.
> 
> ESP throughput is limited by the number of available cores and the
> processor clock frequency. Use aes128gcm16 for maximum performance.
> 
> Best regards
> 
> Andreas
> 
> On 16.01.2017 19:00, Varun Singh wrote:
> > Hi,
> > As I understand, strongSwan supports scalability from 4.x onwards. I
> > am new to strongSwan and to VPN in general.
> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> > Though I have read that strongSwan supports scalability, I couldn't
> > find stats to support it.
> > Before adopting strongSwan, my team wanted to know *if it can support
> > upto 100k simultaneous connections*. Hence I need to find pointers to
> > obtain this kind of information.

hi,

I think further scaling might be possible with loadbalancers. But this is 
topic of deeper investigation of the project.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170116/1fac8db4/attachment.sig>


More information about the Users mailing list