[strongSwan] Can strongSwan support 100k concurrent connections?

Varun Singh varun.singh at gslab.com
Mon Jan 16 13:39:00 CET 2017 

On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
> Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>> Hi Varun,
>>
>> we have customers who have successfully been running up to 60k
>> concurrent tunnels. In order to maximize performance please have
>> a look at the use of hash tables for IKE_SA lookup
>>
>>    https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>>
>> as well as job priority management
>>
>>    https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>>
>> We also recommend to use file-based logging since writing to syslog
>> extremely slows down the charon daemon
>>
>>    https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>
>> The bottleneck for IKE processing is the Diffie-Hellman key exchange
>> where 70-80 % of the computing effort is spent. Use the ecp256 or
>> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>> maximum performance.
>>
>> ESP throughput is limited by the number of available cores and the
>> processor clock frequency. Use aes128gcm16 for maximum performance.
>>
>> Best regards
>>
>> Andreas
>>
>> On 16.01.2017 19:00, Varun Singh wrote:
>> > Hi,
>> > As I understand, strongSwan supports scalability from 4.x onwards. I
>> > am new to strongSwan and to VPN in general.
>> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>> > Though I have read that strongSwan supports scalability, I couldn't
>> > find stats to support it.
>> > Before adopting strongSwan, my team wanted to know *if it can support
>> > upto 100k simultaneous connections*. Hence I need to find pointers to
>> > obtain this kind of information.
>
> hi,
>
> I think further scaling might be possible with loadbalancers. But this is
> topic of deeper investigation of the project.
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Schleißheimer Straße 26/MG, 80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Thanks Michael,
I was just searching whether load balancing is supported by strongSwan
or not. Came across this thread:
https://lists.strongswan.org/pipermail/users/2013-November/005615.html

But this didn't lead to any conclusion.
So is load balancing supported by strongSwan?

-- 
Regards,
Varun

More information about the Users mailing list