[strongSwan] Can strongSwan support 100k concurrent connections?

Noel Kuntze noel at familie-kuntze.de
Wed Jan 18 18:30:57 CET 2017


On 18.01.2017 18:23, Varun Singh wrote:
> Okay. Surprisingly I was told in a discussion with a networking expert
> that a new virtual network interface is created on server every time a
> VPN client connects. Is there is link or document which states in
> detail how server's network module functions when a client makes a
> connection? Thanks.
Sounds like he/she's not a very good expert then.
strongSwan manipulates the kernel's SAD and SPD, which are implemented
by XFRM on Linux. It doesn't create any new interfaces. Only the IPsec policies
are applied to traffic.
There's no such document. Take a look at the list of IPsec and related standards[1]
to get information about what strongSwan implements. strongSwan does different
things in detail based on the underlying operating system and if you use kernel-libipsec
or not.
In very rough terms, the peers authenticate each other (IKE_SA), then negotiate CHILD_SAs,
which are used to transport traffic and when negotiating the CHILD_SAs, the peer each insert
corresponding SAs and SPs into the SAD and SPD on the local host.
Even if you use kernel-libipsec (which you shouldn't), strongSwan only creates a single
interface.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards


-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170118/3b1d6b56/attachment.sig>


More information about the Users mailing list