[strongSwan] Can strongSwan support 100k concurrent connections?

Varun Singh varun.singh at gslab.com
Mon Jan 16 14:00:15 CET 2017 

On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
> Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
>> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>> >> Hi Varun,
>> >>
>> >> we have customers who have successfully been running up to 60k
>> >> concurrent tunnels. In order to maximize performance please have
>> >> a look at the use of hash tables for IKE_SA lookup
>> >>
>> >>    https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>> >>
>> >> as well as job priority management
>> >>
>> >>    https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>> >>
>> >> We also recommend to use file-based logging since writing to syslog
>> >> extremely slows down the charon daemon
>> >>
>> >>    https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigurati
>> >>    on
>> >>
>> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange
>> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
>> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>> >> maximum performance.
>> >>
>> >> ESP throughput is limited by the number of available cores and the
>> >> processor clock frequency. Use aes128gcm16 for maximum performance.
>> >>
>> >> Best regards
>> >>
>> >> Andreas
>> >>
>> >> On 16.01.2017 19:00, Varun Singh wrote:
>> >> > Hi,
>> >> > As I understand, strongSwan supports scalability from 4.x onwards. I
>> >> > am new to strongSwan and to VPN in general.
>> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>> >> > Though I have read that strongSwan supports scalability, I couldn't
>> >> > find stats to support it.
>> >> > Before adopting strongSwan, my team wanted to know *if it can support
>> >> > upto 100k simultaneous connections*. Hence I need to find pointers to
>> >> > obtain this kind of information.
>> >
>> > hi,
>> >
>> > I think further scaling might be possible with loadbalancers. But this is
>> > topic of deeper investigation of the project.
>> >
>> > Mit freundlichen Grüßen,
>> >
>> > Michael Schwartzkopff
>> >
>> > --
>> > [*] sys4 AG
>> >
>> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> > Schleißheimer Straße 26/MG, 80333 München
>> >
>> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> > Aufsichtsratsvorsitzender: Florian Kirstein
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>> Thanks Michael,
>> I was just searching whether load balancing is supported by strongSwan
>> or not. Came across this thread:
>> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>>
>> But this didn't lead to any conclusion.
>> So is load balancing supported by strongSwan?
>
> if you use LVS before the VPN server does not know about the load balancing.
> You would have to find a solution for the reverse traffic, i.e. IP pools on the
> VPN server.
>
> LVS offers a feature to do loadbalancing with firewall marks. This might be
> nescessary for balancing IKE and ESP together.
>
> I don't know if a SA sync between strongswan servers is possible.
>
> But anyway: This setup shold be designed and tested very carefully.
>
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Schleißheimer Straße 26/MG, 80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


"You would have to find a solution for the reverse traffic, i.e. IP pools on the
VPN server."
-> This is what I am mainly concerned about. There is something called
clusterIP. I need to figure out what it is and how can I use it for
load balancing.


"I don't know if a SA sync between strongswan servers is possible."
-> I guess this will be needed if server_1 fails and the user should
automatically be switched to server_2. Is that right?

-- 
Regards,
Varun

More information about the Users mailing list