[strongSwan] Can strongSwan support 100k concurrent connections?

Michael Schwartzkopff ms at sys4.de
Mon Jan 16 14:32:46 CET 2017


Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie:
> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
> >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
> >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de> 
wrote:
> >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
> >> >> >> Hi Varun,
> >> >> >> 
> >> >> >> we have customers who have successfully been running up to 60k
> >> >> >> concurrent tunnels. In order to maximize performance please have
> >> >> >> a look at the use of hash tables for IKE_SA lookup
> >> >> >> 
> >> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
> >> >> >> 
> >> >> >> as well as job priority management
> >> >> >> 
> >> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
> >> >> >> 
> >> >> >> We also recommend to use file-based logging since writing to syslog
> >> >> >> extremely slows down the charon daemon
> >> >> >> 
> >> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi
> >> >> >>    gur
> >> >> >>    ati
> >> >> >>    on
> >> >> >> 
> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key
> >> >> >> exchange
> >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
> >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
> >> >> >> maximum performance.
> >> >> >> 
> >> >> >> ESP throughput is limited by the number of available cores and the
> >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
> >> >> >> 
> >> >> >> Best regards
> >> >> >> 
> >> >> >> Andreas
> >> >> >> 
> >> >> >> On 16.01.2017 19:00, Varun Singh wrote:
> >> >> >> > Hi,
> >> >> >> > As I understand, strongSwan supports scalability from 4.x
> >> >> >> > onwards. I
> >> >> >> > am new to strongSwan and to VPN in general.
> >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
> >> >> >> > Though I have read that strongSwan supports scalability, I
> >> >> >> > couldn't
> >> >> >> > find stats to support it.
> >> >> >> > Before adopting strongSwan, my team wanted to know *if it can
> >> >> >> > support
> >> >> >> > upto 100k simultaneous connections*. Hence I need to find
> >> >> >> > pointers
> >> >> >> > to
> >> >> >> > obtain this kind of information.
> >> >> > 
> >> >> > hi,
> >> >> > 
> >> >> > I think further scaling might be possible with loadbalancers. But
> >> >> > this
> >> >> > is
> >> >> > topic of deeper investigation of the project.
> >> >> > 
> >> >> > Mit freundlichen Grüßen,
> >> >> > 
> >> >> > Michael Schwartzkopff
> >> >> > 
> >> >> > --
> >> >> > [*] sys4 AG
> >> >> > 
> >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> >> >> > Schleißheimer Straße 26/MG, 80333 München
> >> >> > 
> >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> >> >> > Aufsichtsratsvorsitzender: Florian Kirstein
> >> >> > _______________________________________________
> >> >> > Users mailing list
> >> >> > Users at lists.strongswan.org
> >> >> > https://lists.strongswan.org/mailman/listinfo/users
> >> >> 
> >> >> Thanks Michael,
> >> >> I was just searching whether load balancing is supported by strongSwan
> >> >> or not. Came across this thread:
> >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
> >> >> 
> >> >> But this didn't lead to any conclusion.
> >> >> So is load balancing supported by strongSwan?
> >> > 
> >> > if you use LVS before the VPN server does not know about the load
> >> > balancing. You would have to find a solution for the reverse traffic,
> >> > i.e. IP pools on the VPN server.
> >> > 
> >> > LVS offers a feature to do loadbalancing with firewall marks. This
> >> > might
> >> > be
> >> > nescessary for balancing IKE and ESP together.
> >> > 
> >> > I don't know if a SA sync between strongswan servers is possible.
> >> > 
> >> > But anyway: This setup shold be designed and tested very carefully.
> >> > 
> >> > 
> >> > Mit freundlichen Grüßen,
> >> > 
> >> > Michael Schwartzkopff
> >> > 
> >> > --
> >> > [*] sys4 AG
> >> > 
> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> >> > Schleißheimer Straße 26/MG, 80333 München
> >> > 
> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> >> > Aufsichtsratsvorsitzender: Florian Kirstein
> >> > 
> >> > _______________________________________________
> >> > Users mailing list
> >> > Users at lists.strongswan.org
> >> > https://lists.strongswan.org/mailman/listinfo/users
> >> 
> >> "You would have to find a solution for the reverse traffic, i.e. IP pools
> >> on the VPN server."
> >> -> This is what I am mainly concerned about. There is something called
> >> clusterIP. I need to figure out what it is and how can I use it for
> >> load balancing.
> >> 
> >> 
> >> "I don't know if a SA sync between strongswan servers is possible."
> >> -> I guess this will be needed if server_1 fails and the user should
> >> automatically be switched to server_2. Is that right?
> > 
> > these questions depend on your concept / design / inplementation.
> > 
> > if you can afford a little downtime, DPD could be an option for you.
> > 
> > 
> > 
> > 
> > Mit freundlichen Grüßen,
> > 
> > Michael Schwartzkopff
> > 
> > --
> > [*] sys4 AG
> > 
> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> > Schleißheimer Straße 26/MG, 80333 München
> > 
> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> > Aufsichtsratsvorsitzender: Florian Kirstein
> > 
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> 
> My objective is mainly scalability. So if 1 instance can support 60k
> concurrent connections and I expect 100k connections. Then I can
> deploy 2 instances. Am I on the right track?

No. I one instance fails then the other would have to serve all connections. 
This will overload it.

The same happens if you want to take on instance down for maintanance.

You need at least 3 instances with these performance figures.


Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170116/454f8a9d/attachment.sig>


More information about the Users mailing list