[strongSwan] Can strongSwan support 100k concurrent connections?

Varun Singh varun.singh at gslab.com
Mon Jan 16 14:54:47 CET 2017


On Mon, Jan 16, 2017 at 7:02 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
> Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie:
>> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
>> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>> >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
>> >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de>
> wrote:
>> >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>> >> >> >> Hi Varun,
>> >> >> >>
>> >> >> >> we have customers who have successfully been running up to 60k
>> >> >> >> concurrent tunnels. In order to maximize performance please have
>> >> >> >> a look at the use of hash tables for IKE_SA lookup
>> >> >> >>
>> >> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>> >> >> >>
>> >> >> >> as well as job priority management
>> >> >> >>
>> >> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>> >> >> >>
>> >> >> >> We also recommend to use file-based logging since writing to syslog
>> >> >> >> extremely slows down the charon daemon
>> >> >> >>
>> >> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi
>> >> >> >>    gur
>> >> >> >>    ati
>> >> >> >>    on
>> >> >> >>
>> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key
>> >> >> >> exchange
>> >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
>> >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>> >> >> >> maximum performance.
>> >> >> >>
>> >> >> >> ESP throughput is limited by the number of available cores and the
>> >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
>> >> >> >>
>> >> >> >> Best regards
>> >> >> >>
>> >> >> >> Andreas
>> >> >> >>
>> >> >> >> On 16.01.2017 19:00, Varun Singh wrote:
>> >> >> >> > Hi,
>> >> >> >> > As I understand, strongSwan supports scalability from 4.x
>> >> >> >> > onwards. I
>> >> >> >> > am new to strongSwan and to VPN in general.
>> >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>> >> >> >> > Though I have read that strongSwan supports scalability, I
>> >> >> >> > couldn't
>> >> >> >> > find stats to support it.
>> >> >> >> > Before adopting strongSwan, my team wanted to know *if it can
>> >> >> >> > support
>> >> >> >> > upto 100k simultaneous connections*. Hence I need to find
>> >> >> >> > pointers
>> >> >> >> > to
>> >> >> >> > obtain this kind of information.
>> >> >> >
>> >> >> > hi,
>> >> >> >
>> >> >> > I think further scaling might be possible with loadbalancers. But
>> >> >> > this
>> >> >> > is
>> >> >> > topic of deeper investigation of the project.
>> >> >> >
>> >> >> > Mit freundlichen Grüßen,
>> >> >> >
>> >> >> > Michael Schwartzkopff
>> >> >> >
>> >> >> > --
>> >> >> > [*] sys4 AG
>> >> >> >
>> >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> >> >> > Schleißheimer Straße 26/MG, 80333 München
>> >> >> >
>> >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> >> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>> >> >> > _______________________________________________
>> >> >> > Users mailing list
>> >> >> > Users at lists.strongswan.org
>> >> >> > https://lists.strongswan.org/mailman/listinfo/users
>> >> >>
>> >> >> Thanks Michael,
>> >> >> I was just searching whether load balancing is supported by strongSwan
>> >> >> or not. Came across this thread:
>> >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>> >> >>
>> >> >> But this didn't lead to any conclusion.
>> >> >> So is load balancing supported by strongSwan?
>> >> >
>> >> > if you use LVS before the VPN server does not know about the load
>> >> > balancing. You would have to find a solution for the reverse traffic,
>> >> > i.e. IP pools on the VPN server.
>> >> >
>> >> > LVS offers a feature to do loadbalancing with firewall marks. This
>> >> > might
>> >> > be
>> >> > nescessary for balancing IKE and ESP together.
>> >> >
>> >> > I don't know if a SA sync between strongswan servers is possible.
>> >> >
>> >> > But anyway: This setup shold be designed and tested very carefully.
>> >> >
>> >> >
>> >> > Mit freundlichen Grüßen,
>> >> >
>> >> > Michael Schwartzkopff
>> >> >
>> >> > --
>> >> > [*] sys4 AG
>> >> >
>> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> >> > Schleißheimer Straße 26/MG, 80333 München
>> >> >
>> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>> >> >
>> >> > _______________________________________________
>> >> > Users mailing list
>> >> > Users at lists.strongswan.org
>> >> > https://lists.strongswan.org/mailman/listinfo/users
>> >>
>> >> "You would have to find a solution for the reverse traffic, i.e. IP pools
>> >> on the VPN server."
>> >> -> This is what I am mainly concerned about. There is something called
>> >> clusterIP. I need to figure out what it is and how can I use it for
>> >> load balancing.
>> >>
>> >>
>> >> "I don't know if a SA sync between strongswan servers is possible."
>> >> -> I guess this will be needed if server_1 fails and the user should
>> >> automatically be switched to server_2. Is that right?
>> >
>> > these questions depend on your concept / design / inplementation.
>> >
>> > if you can afford a little downtime, DPD could be an option for you.
>> >
>> >
>> >
>> >
>> > Mit freundlichen Grüßen,
>> >
>> > Michael Schwartzkopff
>> >
>> > --
>> > [*] sys4 AG
>> >
>> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> > Schleißheimer Straße 26/MG, 80333 München
>> >
>> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> > Aufsichtsratsvorsitzender: Florian Kirstein
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>> My objective is mainly scalability. So if 1 instance can support 60k
>> concurrent connections and I expect 100k connections. Then I can
>> deploy 2 instances. Am I on the right track?
>
> No. I one instance fails then the other would have to serve all connections.
> This will overload it.
>
> The same happens if you want to take on instance down for maintanance.
>
> You need at least 3 instances with these performance figures.
>
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Schleißheimer Straße 26/MG, 80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Good point. Will keep this in mind. Thanks

-- 
Regards,
Varun


More information about the Users mailing list