[strongSwan] Can strongSwan support 100k concurrent connections?

Michael Schwartzkopff ms at sys4.de
Mon Jan 16 14:02:37 CET 2017 

Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> >> >> Hi Varun,
> >> >> 
> >> >> we have customers who have successfully been running up to 60k
> >> >> concurrent tunnels. In order to maximize performance please have
> >> >> a look at the use of hash tables for IKE_SA lookup
> >> >> 
> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> >> >> 
> >> >> as well as job priority management
> >> >> 
> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> >> >> 
> >> >> We also recommend to use file-based logging since writing to syslog
> >> >> extremely slows down the charon daemon
> >> >> 
> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigur
> >> >>    ati
> >> >>    on
> >> >> 
> >> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange
> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> >> >> maximum performance.
> >> >> 
> >> >> ESP throughput is limited by the number of available cores and the
> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
> >> >> 
> >> >> Best regards
> >> >> 
> >> >> Andreas
> >> >> 
> >> >> On 16.01.2017 19:00, Varun Singh wrote:
> >> >> > Hi,
> >> >> > As I understand, strongSwan supports scalability from 4.x onwards. I
> >> >> > am new to strongSwan and to VPN in general.
> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> >> >> > Though I have read that strongSwan supports scalability, I couldn't
> >> >> > find stats to support it.
> >> >> > Before adopting strongSwan, my team wanted to know *if it can
> >> >> > support
> >> >> > upto 100k simultaneous connections*. Hence I need to find pointers
> >> >> > to
> >> >> > obtain this kind of information.
> >> > 
> >> > hi,
> >> > 
> >> > I think further scaling might be possible with loadbalancers. But this
> >> > is
> >> > topic of deeper investigation of the project.
> >> > 
> >> > Mit freundlichen Grüßen,
> >> > 
> >> > Michael Schwartzkopff
> >> > 
> >> > --
> >> > [*] sys4 AG
> >> > 
> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> >> > Schleißheimer Straße 26/MG, 80333 München
> >> > 
> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> >> > Aufsichtsratsvorsitzender: Florian Kirstein
> >> > _______________________________________________
> >> > Users mailing list
> >> > Users at lists.strongswan.org
> >> > https://lists.strongswan.org/mailman/listinfo/users
> >> 
> >> Thanks Michael,
> >> I was just searching whether load balancing is supported by strongSwan
> >> or not. Came across this thread:
> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
> >> 
> >> But this didn't lead to any conclusion.
> >> So is load balancing supported by strongSwan?
> > 
> > if you use LVS before the VPN server does not know about the load
> > balancing. You would have to find a solution for the reverse traffic,
> > i.e. IP pools on the VPN server.
> > 
> > LVS offers a feature to do loadbalancing with firewall marks. This might
> > be
> > nescessary for balancing IKE and ESP together.
> > 
> > I don't know if a SA sync between strongswan servers is possible.
> > 
> > But anyway: This setup shold be designed and tested very carefully.
> > 
> > 
> > Mit freundlichen Grüßen,
> > 
> > Michael Schwartzkopff
> > 
> > --
> > [*] sys4 AG
> > 
> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> > Schleißheimer Straße 26/MG, 80333 München
> > 
> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> > Aufsichtsratsvorsitzender: Florian Kirstein
> > 
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> 
> "You would have to find a solution for the reverse traffic, i.e. IP pools on
> the VPN server."
> -> This is what I am mainly concerned about. There is something called
> clusterIP. I need to figure out what it is and how can I use it for
> load balancing.
> 
> 
> "I don't know if a SA sync between strongswan servers is possible."
> -> I guess this will be needed if server_1 fails and the user should
> automatically be switched to server_2. Is that right?

these questions depend on your concept / design / inplementation.

if you can afford a little downtime, DPD could be an option for you.




Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170116/a304165c/attachment.sig>

More information about the Users mailing list