[strongSwan] Interested in ipsec with source routing and/or vrf

[Noel Kuntze]

Hello Ben,

> The purpose is to load test a VPN server
> with a small number of physical client machines. 

If the VPN server supports several CHILD_SAs and arbitrary subnets on the
remote side, you can just run several CHILD_SAs and negotiate, for example,
a CHILD_SA per client machine IP. So you'd have tunnels like ...
0.0.0.0/0 == 192.168.35.10
0.0.0.0/0 == 192.168.35.11
0.0.0.0/0 == 192.168.35.12


That will enable the usage of RSS and RPS on both ends of the tunnels, so the IPsec SAs
can be load balanced over several CPU cores. Keep in mind though that your wire speed
is likely not high enough to saturate a modern computer or anything even remotely properly configured.
You can only get them to their knees by the sheer number of simultaneously actively used IPsec SAs
by virtue of making the policy lookup more expensive and making sure that the informations for the
used IPsec SAs don't fit into the CPU caches.

Kind regards

Noel Kuntze

Am 24.05.19 um 21:46 schrieb Ben Greear:
> Hello,
>
> I'd like to be able to set up multiple (virtual) network interfaces on a single
> Linux machine and have them connect to a VPN server.  The VPN server should see
> each connection as a unique instance.  The purpose is to load test a VPN server
> with a small number of physical client machines.
>
> I know how to set up source-based routing tables and VRFs, and other general
> networking things...
>
> But, I do not know much at all about ipsec and VPNs, so I'd be happy to pay
> for someone to help me out with this part of things.
>
> Thanks,
> Ben
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190525/a46dac16/attachment.sig>