[strongSwan] Can strongSwan support 100k concurrent connections?

Varun Singh varun.singh at gslab.com
Wed Jan 18 18:11:25 CET 2017


On Mon, Jan 16, 2017 at 7:24 PM, Varun Singh <varun.singh at gslab.com> wrote:
> On Mon, Jan 16, 2017 at 7:02 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>> Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie:
>>> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>>> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh:
>>> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff <ms at sys4.de> wrote:
>>> >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh:
>>> >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff <ms at sys4.de>
>> wrote:
>>> >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen:
>>> >> >> >> Hi Varun,
>>> >> >> >>
>>> >> >> >> we have customers who have successfully been running up to 60k
>>> >> >> >> concurrent tunnels. In order to maximize performance please have
>>> >> >> >> a look at the use of hash tables for IKE_SA lookup
>>> >> >> >>
>>> >> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
>>> >> >> >>
>>> >> >> >> as well as job priority management
>>> >> >> >>
>>> >> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
>>> >> >> >>
>>> >> >> >> We also recommend to use file-based logging since writing to syslog
>>> >> >> >> extremely slows down the charon daemon
>>> >> >> >>
>>> >> >> >>    https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi
>>> >> >> >>    gur
>>> >> >> >>    ati
>>> >> >> >>    on
>>> >> >> >>
>>> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key
>>> >> >> >> exchange
>>> >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or
>>> >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for
>>> >> >> >> maximum performance.
>>> >> >> >>
>>> >> >> >> ESP throughput is limited by the number of available cores and the
>>> >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance.
>>> >> >> >>
>>> >> >> >> Best regards
>>> >> >> >>
>>> >> >> >> Andreas
>>> >> >> >>
>>> >> >> >> On 16.01.2017 19:00, Varun Singh wrote:
>>> >> >> >> > Hi,
>>> >> >> >> > As I understand, strongSwan supports scalability from 4.x
>>> >> >> >> > onwards. I
>>> >> >> >> > am new to strongSwan and to VPN in general.
>>> >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS.
>>> >> >> >> > Though I have read that strongSwan supports scalability, I
>>> >> >> >> > couldn't
>>> >> >> >> > find stats to support it.
>>> >> >> >> > Before adopting strongSwan, my team wanted to know *if it can
>>> >> >> >> > support
>>> >> >> >> > upto 100k simultaneous connections*. Hence I need to find
>>> >> >> >> > pointers
>>> >> >> >> > to
>>> >> >> >> > obtain this kind of information.
>>> >> >> >
>>> >> >> > hi,
>>> >> >> >
>>> >> >> > I think further scaling might be possible with loadbalancers. But
>>> >> >> > this
>>> >> >> > is
>>> >> >> > topic of deeper investigation of the project.
>>> >> >> >
>>> >> >> > Mit freundlichen Grüßen,
>>> >> >> >
>>> >> >> > Michael Schwartzkopff
>>> >> >> >
>>> >> >> > --
>>> >> >> > [*] sys4 AG
>>> >> >> >
>>> >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>>> >> >> > Schleißheimer Straße 26/MG, 80333 München
>>> >> >> >
>>> >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>> >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>>> >> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>>> >> >> > _______________________________________________
>>> >> >> > Users mailing list
>>> >> >> > Users at lists.strongswan.org
>>> >> >> > https://lists.strongswan.org/mailman/listinfo/users
>>> >> >>
>>> >> >> Thanks Michael,
>>> >> >> I was just searching whether load balancing is supported by strongSwan
>>> >> >> or not. Came across this thread:
>>> >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html
>>> >> >>
>>> >> >> But this didn't lead to any conclusion.
>>> >> >> So is load balancing supported by strongSwan?
>>> >> >
>>> >> > if you use LVS before the VPN server does not know about the load
>>> >> > balancing. You would have to find a solution for the reverse traffic,
>>> >> > i.e. IP pools on the VPN server.
>>> >> >
>>> >> > LVS offers a feature to do loadbalancing with firewall marks. This
>>> >> > might
>>> >> > be
>>> >> > nescessary for balancing IKE and ESP together.
>>> >> >
>>> >> > I don't know if a SA sync between strongswan servers is possible.
>>> >> >
>>> >> > But anyway: This setup shold be designed and tested very carefully.
>>> >> >
>>> >> >
>>> >> > Mit freundlichen Grüßen,
>>> >> >
>>> >> > Michael Schwartzkopff
>>> >> >
>>> >> > --
>>> >> > [*] sys4 AG
>>> >> >
>>> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>>> >> > Schleißheimer Straße 26/MG, 80333 München
>>> >> >
>>> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>>> >> > Aufsichtsratsvorsitzender: Florian Kirstein
>>> >> >
>>> >> > _______________________________________________
>>> >> > Users mailing list
>>> >> > Users at lists.strongswan.org
>>> >> > https://lists.strongswan.org/mailman/listinfo/users
>>> >>
>>> >> "You would have to find a solution for the reverse traffic, i.e. IP pools
>>> >> on the VPN server."
>>> >> -> This is what I am mainly concerned about. There is something called
>>> >> clusterIP. I need to figure out what it is and how can I use it for
>>> >> load balancing.
>>> >>
>>> >>
>>> >> "I don't know if a SA sync between strongswan servers is possible."
>>> >> -> I guess this will be needed if server_1 fails and the user should
>>> >> automatically be switched to server_2. Is that right?
>>> >
>>> > these questions depend on your concept / design / inplementation.
>>> >
>>> > if you can afford a little downtime, DPD could be an option for you.
>>> >
>>> >
>>> >
>>> >
>>> > Mit freundlichen Grüßen,
>>> >
>>> > Michael Schwartzkopff
>>> >
>>> > --
>>> > [*] sys4 AG
>>> >
>>> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>>> > Schleißheimer Straße 26/MG, 80333 München
>>> >
>>> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>>> > Aufsichtsratsvorsitzender: Florian Kirstein
>>> >
>>> > _______________________________________________
>>> > Users mailing list
>>> > Users at lists.strongswan.org
>>> > https://lists.strongswan.org/mailman/listinfo/users
>>>
>>> My objective is mainly scalability. So if 1 instance can support 60k
>>> concurrent connections and I expect 100k connections. Then I can
>>> deploy 2 instances. Am I on the right track?
>>
>> No. I one instance fails then the other would have to serve all connections.
>> This will overload it.
>>
>> The same happens if you want to take on instance down for maintanance.
>>
>> You need at least 3 instances with these performance figures.
>>
>>
>> Mit freundlichen Grüßen,
>>
>> Michael Schwartzkopff
>>
>> --
>> [*] sys4 AG
>>
>> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> Schleißheimer Straße 26/MG, 80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> Good point. Will keep this in mind. Thanks
>
> --
> Regards,
> Varun

Yet another concern related to this. From what I know, VPN server
creates a new virtual network interface for every VPN client
connected. Can strongSwan/Linux handle creating and maintaining
thousands of virtual network interfaces? I have found that it depends
on the size of file descriptor. But I couldn't understand in detail
how that works. Can someone shed light on this? Thanks.

-- 
Regards,
Varun


More information about the Users mailing list