[strongSwan] Can strongSwan support 100k concurrent connections?

Varun Singh varun.singh at gslab.com
Wed Jan 18 18:37:11 CET 2017

On Wed, Jan 18, 2017 at 11:00 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> On 18.01.2017 18:23, Varun Singh wrote:
>> Okay. Surprisingly I was told in a discussion with a networking expert
>> that a new virtual network interface is created on server every time a
>> VPN client connects. Is there is link or document which states in
>> detail how server's network module functions when a client makes a
>> connection? Thanks.
> Sounds like he/she's not a very good expert then.
> strongSwan manipulates the kernel's SAD and SPD, which are implemented
> by XFRM on Linux. It doesn't create any new interfaces. Only the IPsec policies
> are applied to traffic.
> There's no such document. Take a look at the list of IPsec and related standards[1]
> to get information about what strongSwan implements. strongSwan does different
> things in detail based on the underlying operating system and if you use kernel-libipsec
> or not.
> In very rough terms, the peers authenticate each other (IKE_SA), then negotiate CHILD_SAs,
> which are used to transport traffic and when negotiating the CHILD_SAs, the peer each insert
> corresponding SAs and SPs into the SAD and SPD on the local host.
> Even if you use kernel-libipsec (which you shouldn't), strongSwan only creates a single
> interface.
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards
> --
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Okay, so is 'not-creating-new-interfaces' a feature unique to
strongSwan or is it common for all VPN servers? Reason I am asking is,
may be I have misunderstood what the expert was saying. If not, I
should discuss this with him.


More information about the Users mailing list