[strongSwan] strongSwan behind loadbalancers? (Was: Can strongSwan support 100k concurrent connections?)

Michael Schwartzkopff ms at sys4.de
Mon Jan 16 13:55:15 CET 2017


Am Montag, 16. Januar 2017, 12:52:48 schrieb Turbo Fredriksson:
> On 16 Jan 2017, at 12:34, Michael Schwartzkopff <ms at sys4.de> wrote:
> > I think further scaling might be possible with loadbalancers. But this is
> > topic of deeper investigation of the project.
> 
> Actually, I’ve been thinking in those terms myself. At the moment, my VPN
> endpoint is a single-point-of-failure, which was kinda “intentional”
> (meaning, I figured it was to much of a hassle to do it any other way at
> the moment).
> 
> But eventually (within the next six months probably), I’m going to have to
> make it more resilient (it’s in AWS, which means that Amazon can kill my
> current instance “at any time”). Starting a new one only takes five, ten
> minutes, which is why I haven’t bothered before.

You can use cluster solutions like pacemaker to make the VPN server HA. Then 
you have your failover in 30 sec.


> But roughly, what’s required to run strongSwan behind a load balancer?
> 
> Is it as simple as create the LB, ‘forward’ the 50-51/500/4500 ports to the
> instance(s)? Because the AWS ELB can’t do UDP load balancing, how do I get
> around that limitation?

Use LVS or haproxy.


Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170116/52e7cc3d/attachment-0001.sig>


More information about the Users mailing list