[strongSwan] Can strongSwan support 100k concurrent connections?

Mon Jan 16 14:54:01 CET 2017

On Mon, Jan 16, 2017 at 7:03 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> On 16.01.2017 20:39, Varun Singh wrote:
>>
>> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>>>
>>> Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>>>>
>>>> Hi Varun,
>>>>
>>>> we have customers who have successfully been running up to 60k
>>>> concurrent tunnels. In order to maximize performance please have
>>>> a look at the use of hash tables for IKE_SA lookup
>>>>
>>>>     https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>>>>
>>>> as well as job priority management
>>>>
>>>>     https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>>>>
>>>> We also recommend to use file-based logging since writing to syslog
>>>> extremely slows down the charon daemon
>>>>
>>>>
>>>> https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>>>
>>>> The bottleneck for IKE processing is the Diffie-Hellman key exchange
>>>> where 70-80 % of the computing effort is spent. Use the ecp256 or
>>>> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>>>> maximum performance.
>>>>
>>>> ESP throughput is limited by the number of available cores and the
>>>> processor clock frequency. Use aes128gcm16 for maximum performance.
>>>>
>>>> Best regards
>>>>
>>>> Andreas
>>>>
>>>> On 16.01.2017 19:00, Varun Singh wrote:
>>>>>
>>>>> Hi,
>>>>> As I understand, strongSwan supports scalability from 4.x onwards. I
>>>>> am new to strongSwan and to VPN in general.
>>>>> I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>>>>> Though I have read that strongSwan supports scalability, I couldn't
>>>>> find stats to support it.
>>>>> Before adopting strongSwan, my team wanted to know *if it can support
>>>>> upto 100k simultaneous connections*. Hence I need to find pointers to
>>>>> obtain this kind of information.
>>>
>>>
>>> hi,
>>>
>>> I think further scaling might be possible with loadbalancers. But this is
>>> topic of deeper investigation of the project.
>>>
>>> Mit freundlichen Grüßen,
>>>
>>> Michael Schwartzkopff
>>>
>>> --
>>> [*] sys4 AG
>>>
>>> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>>> Schleißheimer Straße 26/MG, 80333 München
>>>
>>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>>> Aufsichtsratsvorsitzender: Florian Kirstein
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> Thanks Michael,
>> I was just searching whether load balancing is supported by strongSwan
>> or not. Came across this thread:
>> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>>
>> But this didn't lead to any conclusion.
>> So is load balancing supported by strongSwan?
>>
> Have a look at strongSwan's High Availability (HA) solution
>
>   https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
>
> which can be run in an active-active mode where the load-balancing
> is achieved by Cluster IP.
>
> Andreas
>
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

Thanks for the pointers.

-- 
Regards,
Varun