Re: [strongSwan] Can strongSwan support 100k concurrent connections?
Am Mittwoch, 18. Januar 2017, 13:27:58 schrieb Eric Germann: > > On Jan 18, 2017, at 1:25 PM, Noel Kuntze wrote: > > > > > Show me how to get SNMP stats per connection definition so we don’t have to > use NetFlow and I’m all in. > > Unrelated to the topic: Please try to avoid using the old, unmaintained, > > bug ridden net-tools. Use iproute2 for everything (which you can do!). If I find time and / or money I would write a SNMP subagent for strongswan. But I got not really much feedback last time when this topic was discussed here on the list. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On 18.01.2017 19:27, Eric Germann wrote: > Show me how to get SNMP stats per connection definition so we don’t have to > use NetFlow and I’m all in. What are SNMP stats for you? What `netstat` prints? iproute2 has `ss` for that. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
> On Jan 18, 2017, at 1:25 PM, Noel Kuntze wrote: > > Show me how to get SNMP stats per connection definition so we don’t have to use NetFlow and I’m all in. > Unrelated to the topic: Please try to avoid using the old, unmaintained, bug > ridden net-tools. Use iproute2 for everything (which you can do!). > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 smime.p7s Description: S/MIME cryptographic signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On 18.01.2017 19:23, Eric Germann wrote: > Just a minor point. OpenVPN can create tun interfaces, although that one > interface is associated with all the clients connecting to that port > > tun0 Link encap:UNSPEC HWaddr > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:172.28.100.1 P-t-P:172.28.100.1 Mask:255.255.255.0 > inet6 addr: 2001:470:e2fc:100::1/64 Scope:Global > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) I know that. The point is, that it's not creating one for every client, which is what we were discussing. Unrelated to the topic: Please try to avoid using the old, unmaintained, bug ridden net-tools. Use iproute2 for everything (which you can do!). -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
Just a minor point. OpenVPN can create tun interfaces, although that one interface is associated with all the clients connecting to that port tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:172.28.100.1 P-t-P:172.28.100.1 Mask:255.255.255.0 inet6 addr: 2001:470:e2fc:100::1/64 Scope:Global UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) EKG > On Jan 18, 2017, at 12:38 PM, Noel Kuntze wrote: > > On 18.01.2017 18:37, Varun Singh wrote: >> Okay, so is 'not-creating-new-interfaces' a feature unique to >> strongSwan or is it common for all VPN servers? Reason I am asking is, >> may be I have misunderstood what the expert was saying. If not, I >> should discuss this with him. > Neither strongSwan, nor openvpn do that. I have never seen something like > that. > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users smime.p7s Description: S/MIME cryptographic signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On 18.01.2017 18:42, Michael Schwartzkopff wrote: > Old versions of openswan / freeswan did create interfaces. KLIPS, which libreswan also supports, right? -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
Am Mittwoch, 18. Januar 2017, 18:38:51 schrieb Noel Kuntze: > On 18.01.2017 18:37, Varun Singh wrote: > > Okay, so is 'not-creating-new-interfaces' a feature unique to > > strongSwan or is it common for all VPN servers? Reason I am asking is, > > may be I have misunderstood what the expert was saying. If not, I > > should discuss this with him. > > Neither strongSwan, nor openvpn do that. I have never seen something like > that. Old versions of openswan / freeswan did create interfaces. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On Wed, Jan 18, 2017 at 11:08 PM, Noel Kuntze wrote: > On 18.01.2017 18:37, Varun Singh wrote: >> Okay, so is 'not-creating-new-interfaces' a feature unique to >> strongSwan or is it common for all VPN servers? Reason I am asking is, >> may be I have misunderstood what the expert was saying. If not, I >> should discuss this with him. > Neither strongSwan, nor openvpn do that. I have never seen something like > that. > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Okay thanks. I will discuss this with him tomorrow then. -- Regards, Varun ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On 18.01.2017 18:37, Varun Singh wrote: > Okay, so is 'not-creating-new-interfaces' a feature unique to > strongSwan or is it common for all VPN servers? Reason I am asking is, > may be I have misunderstood what the expert was saying. If not, I > should discuss this with him. Neither strongSwan, nor openvpn do that. I have never seen something like that. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On Wed, Jan 18, 2017 at 11:00 PM, Noel Kuntze wrote: > On 18.01.2017 18:23, Varun Singh wrote: >> Okay. Surprisingly I was told in a discussion with a networking expert >> that a new virtual network interface is created on server every time a >> VPN client connects. Is there is link or document which states in >> detail how server's network module functions when a client makes a >> connection? Thanks. > Sounds like he/she's not a very good expert then. > strongSwan manipulates the kernel's SAD and SPD, which are implemented > by XFRM on Linux. It doesn't create any new interfaces. Only the IPsec > policies > are applied to traffic. > There's no such document. Take a look at the list of IPsec and related > standards[1] > to get information about what strongSwan implements. strongSwan does different > things in detail based on the underlying operating system and if you use > kernel-libipsec > or not. > In very rough terms, the peers authenticate each other (IKE_SA), then > negotiate CHILD_SAs, > which are used to transport traffic and when negotiating the CHILD_SAs, the > peer each insert > corresponding SAs and SPs into the SAD and SPD on the local host. > Even if you use kernel-libipsec (which you shouldn't), strongSwan only > creates a single > interface. > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards > > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Okay, so is 'not-creating-new-interfaces' a feature unique to strongSwan or is it common for all VPN servers? Reason I am asking is, may be I have misunderstood what the expert was saying. If not, I should discuss this with him. -- Regards, Varun ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On 18.01.2017 18:23, Varun Singh wrote: > Okay. Surprisingly I was told in a discussion with a networking expert > that a new virtual network interface is created on server every time a > VPN client connects. Is there is link or document which states in > detail how server's network module functions when a client makes a > connection? Thanks. Sounds like he/she's not a very good expert then. strongSwan manipulates the kernel's SAD and SPD, which are implemented by XFRM on Linux. It doesn't create any new interfaces. Only the IPsec policies are applied to traffic. There's no such document. Take a look at the list of IPsec and related standards[1] to get information about what strongSwan implements. strongSwan does different things in detail based on the underlying operating system and if you use kernel-libipsec or not. In very rough terms, the peers authenticate each other (IKE_SA), then negotiate CHILD_SAs, which are used to transport traffic and when negotiating the CHILD_SAs, the peer each insert corresponding SAs and SPs into the SAD and SPD on the local host. Even if you use kernel-libipsec (which you shouldn't), strongSwan only creates a single interface. [1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On Wed, Jan 18, 2017 at 10:44 PM, Noel Kuntze wrote: > On 18.01.2017 18:11, Varun Singh wrote: >> Yet another concern related to this. From what I know, VPN server >> creates a new virtual network interface for every VPN client >> connected. > It doesn't. > > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Okay. Surprisingly I was told in a discussion with a networking expert that a new virtual network interface is created on server every time a VPN client connects. Is there is link or document which states in detail how server's network module functions when a client makes a connection? Thanks. -- Regards, Varun ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On 18.01.2017 18:11, Varun Singh wrote: > Yet another concern related to this. From what I know, VPN server > creates a new virtual network interface for every VPN client > connected. It doesn't. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On Mon, Jan 16, 2017 at 7:24 PM, Varun Singh wrote: > On Mon, Jan 16, 2017 at 7:02 PM, Michael Schwartzkopff wrote: >> Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie: >>> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff wrote: >>> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh: >>> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff >>> >> wrote: >>> >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh: >>> >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff >> wrote: >>> >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: >>> >> >> >> Hi Varun, >>> >> >> >> >>> >> >> >> we have customers who have successfully been running up to 60k >>> >> >> >> concurrent tunnels. In order to maximize performance please have >>> >> >> >> a look at the use of hash tables for IKE_SA lookup >>> >> >> >> >>> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable >>> >> >> >> >>> >> >> >> as well as job priority management >>> >> >> >> >>> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority >>> >> >> >> >>> >> >> >> We also recommend to use file-based logging since writing to syslog >>> >> >> >> extremely slows down the charon daemon >>> >> >> >> >>> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi >>> >> >> >>gur >>> >> >> >>ati >>> >> >> >>on >>> >> >> >> >>> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key >>> >> >> >> exchange >>> >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or >>> >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for >>> >> >> >> maximum performance. >>> >> >> >> >>> >> >> >> ESP throughput is limited by the number of available cores and the >>> >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance. >>> >> >> >> >>> >> >> >> Best regards >>> >> >> >> >>> >> >> >> Andreas >>> >> >> >> >>> >> >> >> On 16.01.2017 19:00, Varun Singh wrote: >>> >> >> >> > Hi, >>> >> >> >> > As I understand, strongSwan supports scalability from 4.x >>> >> >> >> > onwards. I >>> >> >> >> > am new to strongSwan and to VPN in general. >>> >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. >>> >> >> >> > Though I have read that strongSwan supports scalability, I >>> >> >> >> > couldn't >>> >> >> >> > find stats to support it. >>> >> >> >> > Before adopting strongSwan, my team wanted to know *if it can >>> >> >> >> > support >>> >> >> >> > upto 100k simultaneous connections*. Hence I need to find >>> >> >> >> > pointers >>> >> >> >> > to >>> >> >> >> > obtain this kind of information. >>> >> >> > >>> >> >> > hi, >>> >> >> > >>> >> >> > I think further scaling might be possible with loadbalancers. But >>> >> >> > this >>> >> >> > is >>> >> >> > topic of deeper investigation of the project. >>> >> >> > >>> >> >> > Mit freundlichen Grüßen, >>> >> >> > >>> >> >> > Michael Schwartzkopff >>> >> >> > >>> >> >> > -- >>> >> >> > [*] sys4 AG >>> >> >> > >>> >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 >>> >> >> > Schleißheimer Straße 26/MG, 80333 München >>> >> >> > >>> >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >>> >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer >>> >> >> > Aufsichtsratsvorsitzender: Florian Kirstein >>> >> >> > ___ >>> >> >> > Users mailing list >>> >> >> > Users@lists.strongswan.org >>> >> >> > https://lists.strongswan.org/mailman/listinfo/users >>> >> >> >>> >> >> Thanks Michael, >>> >> >> I was just searching whether load balancing is supported by strongSwan >>> >> >> or not. Came across this thread: >>> >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html >>> >> >> >>> >> >> But this didn't lead to any conclusion. >>> >> >> So is load balancing supported by strongSwan? >>> >> > >>> >> > if you use LVS before the VPN server does not know about the load >>> >> > balancing. You would have to find a solution for the reverse traffic, >>> >> > i.e. IP pools on the VPN server. >>> >> > >>> >> > LVS offers a feature to do loadbalancing with firewall marks. This >>> >> > might >>> >> > be >>> >> > nescessary for balancing IKE and ESP together. >>> >> > >>> >> > I don't know if a SA sync between strongswan servers is possible. >>> >> > >>> >> > But anyway: This setup shold be designed and tested very carefully. >>> >> > >>> >> > >>> >> > Mit freundlichen Grüßen, >>> >> > >>> >> > Michael Schwartzkopff >>> >> > >>> >> > -- >>> >> > [*] sys4 AG >>> >> > >>> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 >>> >> > Schleißheimer Straße 26/MG, 80333 München >>> >> > >>> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >>> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer >>> >> > Aufsichtsratsvorsitzender: Florian Kirstein >>> >> > >>> >> > ___ >>> >> > Users mailing l
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On Mon, Jan 16, 2017 at 7:02 PM, Michael Schwartzkopff wrote: > Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie: >> On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff wrote: >> > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh: >> >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff >> >> wrote: >> >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh: >> >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff > wrote: >> >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: >> >> >> >> Hi Varun, >> >> >> >> >> >> >> >> we have customers who have successfully been running up to 60k >> >> >> >> concurrent tunnels. In order to maximize performance please have >> >> >> >> a look at the use of hash tables for IKE_SA lookup >> >> >> >> >> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable >> >> >> >> >> >> >> >> as well as job priority management >> >> >> >> >> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority >> >> >> >> >> >> >> >> We also recommend to use file-based logging since writing to syslog >> >> >> >> extremely slows down the charon daemon >> >> >> >> >> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi >> >> >> >>gur >> >> >> >>ati >> >> >> >>on >> >> >> >> >> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key >> >> >> >> exchange >> >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or >> >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for >> >> >> >> maximum performance. >> >> >> >> >> >> >> >> ESP throughput is limited by the number of available cores and the >> >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance. >> >> >> >> >> >> >> >> Best regards >> >> >> >> >> >> >> >> Andreas >> >> >> >> >> >> >> >> On 16.01.2017 19:00, Varun Singh wrote: >> >> >> >> > Hi, >> >> >> >> > As I understand, strongSwan supports scalability from 4.x >> >> >> >> > onwards. I >> >> >> >> > am new to strongSwan and to VPN in general. >> >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. >> >> >> >> > Though I have read that strongSwan supports scalability, I >> >> >> >> > couldn't >> >> >> >> > find stats to support it. >> >> >> >> > Before adopting strongSwan, my team wanted to know *if it can >> >> >> >> > support >> >> >> >> > upto 100k simultaneous connections*. Hence I need to find >> >> >> >> > pointers >> >> >> >> > to >> >> >> >> > obtain this kind of information. >> >> >> > >> >> >> > hi, >> >> >> > >> >> >> > I think further scaling might be possible with loadbalancers. But >> >> >> > this >> >> >> > is >> >> >> > topic of deeper investigation of the project. >> >> >> > >> >> >> > Mit freundlichen Grüßen, >> >> >> > >> >> >> > Michael Schwartzkopff >> >> >> > >> >> >> > -- >> >> >> > [*] sys4 AG >> >> >> > >> >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 >> >> >> > Schleißheimer Straße 26/MG, 80333 München >> >> >> > >> >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer >> >> >> > Aufsichtsratsvorsitzender: Florian Kirstein >> >> >> > ___ >> >> >> > Users mailing list >> >> >> > Users@lists.strongswan.org >> >> >> > https://lists.strongswan.org/mailman/listinfo/users >> >> >> >> >> >> Thanks Michael, >> >> >> I was just searching whether load balancing is supported by strongSwan >> >> >> or not. Came across this thread: >> >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html >> >> >> >> >> >> But this didn't lead to any conclusion. >> >> >> So is load balancing supported by strongSwan? >> >> > >> >> > if you use LVS before the VPN server does not know about the load >> >> > balancing. You would have to find a solution for the reverse traffic, >> >> > i.e. IP pools on the VPN server. >> >> > >> >> > LVS offers a feature to do loadbalancing with firewall marks. This >> >> > might >> >> > be >> >> > nescessary for balancing IKE and ESP together. >> >> > >> >> > I don't know if a SA sync between strongswan servers is possible. >> >> > >> >> > But anyway: This setup shold be designed and tested very carefully. >> >> > >> >> > >> >> > Mit freundlichen Grüßen, >> >> > >> >> > Michael Schwartzkopff >> >> > >> >> > -- >> >> > [*] sys4 AG >> >> > >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 >> >> > Schleißheimer Straße 26/MG, 80333 München >> >> > >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer >> >> > Aufsichtsratsvorsitzender: Florian Kirstein >> >> > >> >> > ___ >> >> > Users mailing list >> >> > Users@lists.strongswan.org >> >> > https://lists.strongswan.org/mailman/listinfo/users >> >> >> >> "You would have to find a solution for the reverse traffic, i.e.
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On Mon, Jan 16, 2017 at 7:03 PM, Andreas Steffen wrote: > On 16.01.2017 20:39, Varun Singh wrote: >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff wrote: >>> >>> Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: Hi Varun, we have customers who have successfully been running up to 60k concurrent tunnels. In order to maximize performance please have a look at the use of hash tables for IKE_SA lookup https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable as well as job priority management https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority We also recommend to use file-based logging since writing to syslog extremely slows down the charon daemon https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration The bottleneck for IKE processing is the Diffie-Hellman key exchange where 70-80 % of the computing effort is spent. Use the ecp256 or the new curve25519 (available with strongSwan 5.5.2) DH groups for maximum performance. ESP throughput is limited by the number of available cores and the processor clock frequency. Use aes128gcm16 for maximum performance. Best regards Andreas On 16.01.2017 19:00, Varun Singh wrote: > > Hi, > As I understand, strongSwan supports scalability from 4.x onwards. I > am new to strongSwan and to VPN in general. > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. > Though I have read that strongSwan supports scalability, I couldn't > find stats to support it. > Before adopting strongSwan, my team wanted to know *if it can support > upto 100k simultaneous connections*. Hence I need to find pointers to > obtain this kind of information. >>> >>> >>> hi, >>> >>> I think further scaling might be possible with loadbalancers. But this is >>> topic of deeper investigation of the project. >>> >>> Mit freundlichen Grüßen, >>> >>> Michael Schwartzkopff >>> >>> -- >>> [*] sys4 AG >>> >>> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 >>> Schleißheimer Straße 26/MG, 80333 München >>> >>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer >>> Aufsichtsratsvorsitzender: Florian Kirstein >>> ___ >>> Users mailing list >>> Users@lists.strongswan.org >>> https://lists.strongswan.org/mailman/listinfo/users >> >> >> Thanks Michael, >> I was just searching whether load balancing is supported by strongSwan >> or not. Came across this thread: >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html >> >> But this didn't lead to any conclusion. >> So is load balancing supported by strongSwan? >> > Have a look at strongSwan's High Availability (HA) solution > > https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability > > which can be run in an active-active mode where the load-balancing > is achieved by Cluster IP. > > Andreas > > > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[ITA-HSR]== > Thanks for the pointers. -- Regards, Varun ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On 16.01.2017 20:39, Varun Singh wrote: On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff wrote: Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: Hi Varun, we have customers who have successfully been running up to 60k concurrent tunnels. In order to maximize performance please have a look at the use of hash tables for IKE_SA lookup https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable as well as job priority management https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority We also recommend to use file-based logging since writing to syslog extremely slows down the charon daemon https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration The bottleneck for IKE processing is the Diffie-Hellman key exchange where 70-80 % of the computing effort is spent. Use the ecp256 or the new curve25519 (available with strongSwan 5.5.2) DH groups for maximum performance. ESP throughput is limited by the number of available cores and the processor clock frequency. Use aes128gcm16 for maximum performance. Best regards Andreas On 16.01.2017 19:00, Varun Singh wrote: Hi, As I understand, strongSwan supports scalability from 4.x onwards. I am new to strongSwan and to VPN in general. I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. Though I have read that strongSwan supports scalability, I couldn't find stats to support it. Before adopting strongSwan, my team wanted to know *if it can support upto 100k simultaneous connections*. Hence I need to find pointers to obtain this kind of information. hi, I think further scaling might be possible with loadbalancers. But this is topic of deeper investigation of the project. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users Thanks Michael, I was just searching whether load balancing is supported by strongSwan or not. Came across this thread: https://lists.strongswan.org/pipermail/users/2013-November/005615.html But this didn't lead to any conclusion. So is load balancing supported by strongSwan? Have a look at strongSwan's High Availability (HA) solution https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability which can be run in an active-active mode where the load-balancing is achieved by Cluster IP. Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
Am Montag, 16. Januar 2017, 18:55:35 schrieben Sie: > On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff wrote: > > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh: > >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff > >> wrote: > >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh: > >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff wrote: > >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: > >> >> >> Hi Varun, > >> >> >> > >> >> >> we have customers who have successfully been running up to 60k > >> >> >> concurrent tunnels. In order to maximize performance please have > >> >> >> a look at the use of hash tables for IKE_SA lookup > >> >> >> > >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable > >> >> >> > >> >> >> as well as job priority management > >> >> >> > >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority > >> >> >> > >> >> >> We also recommend to use file-based logging since writing to syslog > >> >> >> extremely slows down the charon daemon > >> >> >> > >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfi > >> >> >>gur > >> >> >>ati > >> >> >>on > >> >> >> > >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key > >> >> >> exchange > >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or > >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for > >> >> >> maximum performance. > >> >> >> > >> >> >> ESP throughput is limited by the number of available cores and the > >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance. > >> >> >> > >> >> >> Best regards > >> >> >> > >> >> >> Andreas > >> >> >> > >> >> >> On 16.01.2017 19:00, Varun Singh wrote: > >> >> >> > Hi, > >> >> >> > As I understand, strongSwan supports scalability from 4.x > >> >> >> > onwards. I > >> >> >> > am new to strongSwan and to VPN in general. > >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. > >> >> >> > Though I have read that strongSwan supports scalability, I > >> >> >> > couldn't > >> >> >> > find stats to support it. > >> >> >> > Before adopting strongSwan, my team wanted to know *if it can > >> >> >> > support > >> >> >> > upto 100k simultaneous connections*. Hence I need to find > >> >> >> > pointers > >> >> >> > to > >> >> >> > obtain this kind of information. > >> >> > > >> >> > hi, > >> >> > > >> >> > I think further scaling might be possible with loadbalancers. But > >> >> > this > >> >> > is > >> >> > topic of deeper investigation of the project. > >> >> > > >> >> > Mit freundlichen Grüßen, > >> >> > > >> >> > Michael Schwartzkopff > >> >> > > >> >> > -- > >> >> > [*] sys4 AG > >> >> > > >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 > >> >> > Schleißheimer Straße 26/MG, 80333 München > >> >> > > >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > >> >> > Aufsichtsratsvorsitzender: Florian Kirstein > >> >> > ___ > >> >> > Users mailing list > >> >> > Users@lists.strongswan.org > >> >> > https://lists.strongswan.org/mailman/listinfo/users > >> >> > >> >> Thanks Michael, > >> >> I was just searching whether load balancing is supported by strongSwan > >> >> or not. Came across this thread: > >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html > >> >> > >> >> But this didn't lead to any conclusion. > >> >> So is load balancing supported by strongSwan? > >> > > >> > if you use LVS before the VPN server does not know about the load > >> > balancing. You would have to find a solution for the reverse traffic, > >> > i.e. IP pools on the VPN server. > >> > > >> > LVS offers a feature to do loadbalancing with firewall marks. This > >> > might > >> > be > >> > nescessary for balancing IKE and ESP together. > >> > > >> > I don't know if a SA sync between strongswan servers is possible. > >> > > >> > But anyway: This setup shold be designed and tested very carefully. > >> > > >> > > >> > Mit freundlichen Grüßen, > >> > > >> > Michael Schwartzkopff > >> > > >> > -- > >> > [*] sys4 AG > >> > > >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 > >> > Schleißheimer Straße 26/MG, 80333 München > >> > > >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > >> > Aufsichtsratsvorsitzender: Florian Kirstein > >> > > >> > ___ > >> > Users mailing list > >> > Users@lists.strongswan.org > >> > https://lists.strongswan.org/mailman/listinfo/users > >> > >> "You would have to find a solution for the reverse traffic, i.e. IP pools > >> on the VPN server." > >> -> This is what I am mainly concerned about. There is something called > >> clusterIP. I need to figure out what it is
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On Mon, Jan 16, 2017 at 6:32 PM, Michael Schwartzkopff wrote: > Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh: >> On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff wrote: >> > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh: >> >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff >> >> wrote: >> >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: >> >> >> Hi Varun, >> >> >> >> >> >> we have customers who have successfully been running up to 60k >> >> >> concurrent tunnels. In order to maximize performance please have >> >> >> a look at the use of hash tables for IKE_SA lookup >> >> >> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable >> >> >> >> >> >> as well as job priority management >> >> >> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority >> >> >> >> >> >> We also recommend to use file-based logging since writing to syslog >> >> >> extremely slows down the charon daemon >> >> >> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigur >> >> >>ati >> >> >>on >> >> >> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange >> >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or >> >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for >> >> >> maximum performance. >> >> >> >> >> >> ESP throughput is limited by the number of available cores and the >> >> >> processor clock frequency. Use aes128gcm16 for maximum performance. >> >> >> >> >> >> Best regards >> >> >> >> >> >> Andreas >> >> >> >> >> >> On 16.01.2017 19:00, Varun Singh wrote: >> >> >> > Hi, >> >> >> > As I understand, strongSwan supports scalability from 4.x onwards. I >> >> >> > am new to strongSwan and to VPN in general. >> >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. >> >> >> > Though I have read that strongSwan supports scalability, I couldn't >> >> >> > find stats to support it. >> >> >> > Before adopting strongSwan, my team wanted to know *if it can >> >> >> > support >> >> >> > upto 100k simultaneous connections*. Hence I need to find pointers >> >> >> > to >> >> >> > obtain this kind of information. >> >> > >> >> > hi, >> >> > >> >> > I think further scaling might be possible with loadbalancers. But this >> >> > is >> >> > topic of deeper investigation of the project. >> >> > >> >> > Mit freundlichen Grüßen, >> >> > >> >> > Michael Schwartzkopff >> >> > >> >> > -- >> >> > [*] sys4 AG >> >> > >> >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 >> >> > Schleißheimer Straße 26/MG, 80333 München >> >> > >> >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer >> >> > Aufsichtsratsvorsitzender: Florian Kirstein >> >> > ___ >> >> > Users mailing list >> >> > Users@lists.strongswan.org >> >> > https://lists.strongswan.org/mailman/listinfo/users >> >> >> >> Thanks Michael, >> >> I was just searching whether load balancing is supported by strongSwan >> >> or not. Came across this thread: >> >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html >> >> >> >> But this didn't lead to any conclusion. >> >> So is load balancing supported by strongSwan? >> > >> > if you use LVS before the VPN server does not know about the load >> > balancing. You would have to find a solution for the reverse traffic, >> > i.e. IP pools on the VPN server. >> > >> > LVS offers a feature to do loadbalancing with firewall marks. This might >> > be >> > nescessary for balancing IKE and ESP together. >> > >> > I don't know if a SA sync between strongswan servers is possible. >> > >> > But anyway: This setup shold be designed and tested very carefully. >> > >> > >> > Mit freundlichen Grüßen, >> > >> > Michael Schwartzkopff >> > >> > -- >> > [*] sys4 AG >> > >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 >> > Schleißheimer Straße 26/MG, 80333 München >> > >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer >> > Aufsichtsratsvorsitzender: Florian Kirstein >> > >> > ___ >> > Users mailing list >> > Users@lists.strongswan.org >> > https://lists.strongswan.org/mailman/listinfo/users >> >> "You would have to find a solution for the reverse traffic, i.e. IP pools on >> the VPN server." >> -> This is what I am mainly concerned about. There is something called >> clusterIP. I need to figure out what it is and how can I use it for >> load balancing. >> >> >> "I don't know if a SA sync between strongswan servers is possible." >> -> I guess this will be needed if server_1 fails and the user should >> automatically be switched to server_2. Is that right? > > these questions depend on your concept / design / inplementation. > > if you can afford a little downtime, DPD could be an option for you. > > > >
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
Am Montag, 16. Januar 2017, 18:30:15 schrieb Varun Singh: > On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff wrote: > > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh: > >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff > >> wrote: > >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: > >> >> Hi Varun, > >> >> > >> >> we have customers who have successfully been running up to 60k > >> >> concurrent tunnels. In order to maximize performance please have > >> >> a look at the use of hash tables for IKE_SA lookup > >> >> > >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable > >> >> > >> >> as well as job priority management > >> >> > >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority > >> >> > >> >> We also recommend to use file-based logging since writing to syslog > >> >> extremely slows down the charon daemon > >> >> > >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigur > >> >>ati > >> >>on > >> >> > >> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange > >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or > >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for > >> >> maximum performance. > >> >> > >> >> ESP throughput is limited by the number of available cores and the > >> >> processor clock frequency. Use aes128gcm16 for maximum performance. > >> >> > >> >> Best regards > >> >> > >> >> Andreas > >> >> > >> >> On 16.01.2017 19:00, Varun Singh wrote: > >> >> > Hi, > >> >> > As I understand, strongSwan supports scalability from 4.x onwards. I > >> >> > am new to strongSwan and to VPN in general. > >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. > >> >> > Though I have read that strongSwan supports scalability, I couldn't > >> >> > find stats to support it. > >> >> > Before adopting strongSwan, my team wanted to know *if it can > >> >> > support > >> >> > upto 100k simultaneous connections*. Hence I need to find pointers > >> >> > to > >> >> > obtain this kind of information. > >> > > >> > hi, > >> > > >> > I think further scaling might be possible with loadbalancers. But this > >> > is > >> > topic of deeper investigation of the project. > >> > > >> > Mit freundlichen Grüßen, > >> > > >> > Michael Schwartzkopff > >> > > >> > -- > >> > [*] sys4 AG > >> > > >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 > >> > Schleißheimer Straße 26/MG, 80333 München > >> > > >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > >> > Aufsichtsratsvorsitzender: Florian Kirstein > >> > ___ > >> > Users mailing list > >> > Users@lists.strongswan.org > >> > https://lists.strongswan.org/mailman/listinfo/users > >> > >> Thanks Michael, > >> I was just searching whether load balancing is supported by strongSwan > >> or not. Came across this thread: > >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html > >> > >> But this didn't lead to any conclusion. > >> So is load balancing supported by strongSwan? > > > > if you use LVS before the VPN server does not know about the load > > balancing. You would have to find a solution for the reverse traffic, > > i.e. IP pools on the VPN server. > > > > LVS offers a feature to do loadbalancing with firewall marks. This might > > be > > nescessary for balancing IKE and ESP together. > > > > I don't know if a SA sync between strongswan servers is possible. > > > > But anyway: This setup shold be designed and tested very carefully. > > > > > > Mit freundlichen Grüßen, > > > > Michael Schwartzkopff > > > > -- > > [*] sys4 AG > > > > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 > > Schleißheimer Straße 26/MG, 80333 München > > > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > > Aufsichtsratsvorsitzender: Florian Kirstein > > > > ___ > > Users mailing list > > Users@lists.strongswan.org > > https://lists.strongswan.org/mailman/listinfo/users > > "You would have to find a solution for the reverse traffic, i.e. IP pools on > the VPN server." > -> This is what I am mainly concerned about. There is something called > clusterIP. I need to figure out what it is and how can I use it for > load balancing. > > > "I don't know if a SA sync between strongswan servers is possible." > -> I guess this will be needed if server_1 fails and the user should > automatically be switched to server_2. Is that right? these questions depend on your concept / design / inplementation. if you can afford a little downtime, DPD could be an option for you. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On Mon, Jan 16, 2017 at 6:18 PM, Michael Schwartzkopff wrote: > Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh: >> On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff wrote: >> > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: >> >> Hi Varun, >> >> >> >> we have customers who have successfully been running up to 60k >> >> concurrent tunnels. In order to maximize performance please have >> >> a look at the use of hash tables for IKE_SA lookup >> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable >> >> >> >> as well as job priority management >> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority >> >> >> >> We also recommend to use file-based logging since writing to syslog >> >> extremely slows down the charon daemon >> >> >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigurati >> >>on >> >> >> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange >> >> where 70-80 % of the computing effort is spent. Use the ecp256 or >> >> the new curve25519 (available with strongSwan 5.5.2) DH groups for >> >> maximum performance. >> >> >> >> ESP throughput is limited by the number of available cores and the >> >> processor clock frequency. Use aes128gcm16 for maximum performance. >> >> >> >> Best regards >> >> >> >> Andreas >> >> >> >> On 16.01.2017 19:00, Varun Singh wrote: >> >> > Hi, >> >> > As I understand, strongSwan supports scalability from 4.x onwards. I >> >> > am new to strongSwan and to VPN in general. >> >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. >> >> > Though I have read that strongSwan supports scalability, I couldn't >> >> > find stats to support it. >> >> > Before adopting strongSwan, my team wanted to know *if it can support >> >> > upto 100k simultaneous connections*. Hence I need to find pointers to >> >> > obtain this kind of information. >> > >> > hi, >> > >> > I think further scaling might be possible with loadbalancers. But this is >> > topic of deeper investigation of the project. >> > >> > Mit freundlichen Grüßen, >> > >> > Michael Schwartzkopff >> > >> > -- >> > [*] sys4 AG >> > >> > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 >> > Schleißheimer Straße 26/MG, 80333 München >> > >> > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> > Vorstand: Patrick Ben Koetter, Marc Schiffbauer >> > Aufsichtsratsvorsitzender: Florian Kirstein >> > ___ >> > Users mailing list >> > Users@lists.strongswan.org >> > https://lists.strongswan.org/mailman/listinfo/users >> >> Thanks Michael, >> I was just searching whether load balancing is supported by strongSwan >> or not. Came across this thread: >> https://lists.strongswan.org/pipermail/users/2013-November/005615.html >> >> But this didn't lead to any conclusion. >> So is load balancing supported by strongSwan? > > if you use LVS before the VPN server does not know about the load balancing. > You would have to find a solution for the reverse traffic, i.e. IP pools on > the > VPN server. > > LVS offers a feature to do loadbalancing with firewall marks. This might be > nescessary for balancing IKE and ESP together. > > I don't know if a SA sync between strongswan servers is possible. > > But anyway: This setup shold be designed and tested very carefully. > > > Mit freundlichen Grüßen, > > Michael Schwartzkopff > > -- > [*] sys4 AG > > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 > Schleißheimer Straße 26/MG, 80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users "You would have to find a solution for the reverse traffic, i.e. IP pools on the VPN server." -> This is what I am mainly concerned about. There is something called clusterIP. I need to figure out what it is and how can I use it for load balancing. "I don't know if a SA sync between strongswan servers is possible." -> I guess this will be needed if server_1 fails and the user should automatically be switched to server_2. Is that right? -- Regards, Varun ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
Am Montag, 16. Januar 2017, 18:09:00 schrieb Varun Singh: > On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff wrote: > > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: > >> Hi Varun, > >> > >> we have customers who have successfully been running up to 60k > >> concurrent tunnels. In order to maximize performance please have > >> a look at the use of hash tables for IKE_SA lookup > >> > >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable > >> > >> as well as job priority management > >> > >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority > >> > >> We also recommend to use file-based logging since writing to syslog > >> extremely slows down the charon daemon > >> > >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfigurati > >>on > >> > >> The bottleneck for IKE processing is the Diffie-Hellman key exchange > >> where 70-80 % of the computing effort is spent. Use the ecp256 or > >> the new curve25519 (available with strongSwan 5.5.2) DH groups for > >> maximum performance. > >> > >> ESP throughput is limited by the number of available cores and the > >> processor clock frequency. Use aes128gcm16 for maximum performance. > >> > >> Best regards > >> > >> Andreas > >> > >> On 16.01.2017 19:00, Varun Singh wrote: > >> > Hi, > >> > As I understand, strongSwan supports scalability from 4.x onwards. I > >> > am new to strongSwan and to VPN in general. > >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. > >> > Though I have read that strongSwan supports scalability, I couldn't > >> > find stats to support it. > >> > Before adopting strongSwan, my team wanted to know *if it can support > >> > upto 100k simultaneous connections*. Hence I need to find pointers to > >> > obtain this kind of information. > > > > hi, > > > > I think further scaling might be possible with loadbalancers. But this is > > topic of deeper investigation of the project. > > > > Mit freundlichen Grüßen, > > > > Michael Schwartzkopff > > > > -- > > [*] sys4 AG > > > > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 > > Schleißheimer Straße 26/MG, 80333 München > > > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > > Aufsichtsratsvorsitzender: Florian Kirstein > > ___ > > Users mailing list > > Users@lists.strongswan.org > > https://lists.strongswan.org/mailman/listinfo/users > > Thanks Michael, > I was just searching whether load balancing is supported by strongSwan > or not. Came across this thread: > https://lists.strongswan.org/pipermail/users/2013-November/005615.html > > But this didn't lead to any conclusion. > So is load balancing supported by strongSwan? if you use LVS before the VPN server does not know about the load balancing. You would have to find a solution for the reverse traffic, i.e. IP pools on the VPN server. LVS offers a feature to do loadbalancing with firewall marks. This might be nescessary for balancing IKE and ESP together. I don't know if a SA sync between strongswan servers is possible. But anyway: This setup shold be designed and tested very carefully. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
On Mon, Jan 16, 2017 at 6:04 PM, Michael Schwartzkopff wrote: > Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: >> Hi Varun, >> >> we have customers who have successfully been running up to 60k >> concurrent tunnels. In order to maximize performance please have >> a look at the use of hash tables for IKE_SA lookup >> >>https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable >> >> as well as job priority management >> >>https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority >> >> We also recommend to use file-based logging since writing to syslog >> extremely slows down the charon daemon >> >>https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration >> >> The bottleneck for IKE processing is the Diffie-Hellman key exchange >> where 70-80 % of the computing effort is spent. Use the ecp256 or >> the new curve25519 (available with strongSwan 5.5.2) DH groups for >> maximum performance. >> >> ESP throughput is limited by the number of available cores and the >> processor clock frequency. Use aes128gcm16 for maximum performance. >> >> Best regards >> >> Andreas >> >> On 16.01.2017 19:00, Varun Singh wrote: >> > Hi, >> > As I understand, strongSwan supports scalability from 4.x onwards. I >> > am new to strongSwan and to VPN in general. >> > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. >> > Though I have read that strongSwan supports scalability, I couldn't >> > find stats to support it. >> > Before adopting strongSwan, my team wanted to know *if it can support >> > upto 100k simultaneous connections*. Hence I need to find pointers to >> > obtain this kind of information. > > hi, > > I think further scaling might be possible with loadbalancers. But this is > topic of deeper investigation of the project. > > Mit freundlichen Grüßen, > > Michael Schwartzkopff > > -- > [*] sys4 AG > > http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 > Schleißheimer Straße 26/MG, 80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users Thanks Michael, I was just searching whether load balancing is supported by strongSwan or not. Came across this thread: https://lists.strongswan.org/pipermail/users/2013-November/005615.html But this didn't lead to any conclusion. So is load balancing supported by strongSwan? -- Regards, Varun ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
Am Montag, 16. Januar 2017, 20:06:45 schrieb Andreas Steffen: > Hi Varun, > > we have customers who have successfully been running up to 60k > concurrent tunnels. In order to maximize performance please have > a look at the use of hash tables for IKE_SA lookup > >https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable > > as well as job priority management > >https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority > > We also recommend to use file-based logging since writing to syslog > extremely slows down the charon daemon > >https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration > > The bottleneck for IKE processing is the Diffie-Hellman key exchange > where 70-80 % of the computing effort is spent. Use the ecp256 or > the new curve25519 (available with strongSwan 5.5.2) DH groups for > maximum performance. > > ESP throughput is limited by the number of available cores and the > processor clock frequency. Use aes128gcm16 for maximum performance. > > Best regards > > Andreas > > On 16.01.2017 19:00, Varun Singh wrote: > > Hi, > > As I understand, strongSwan supports scalability from 4.x onwards. I > > am new to strongSwan and to VPN in general. > > I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. > > Though I have read that strongSwan supports scalability, I couldn't > > find stats to support it. > > Before adopting strongSwan, my team wanted to know *if it can support > > upto 100k simultaneous connections*. Hence I need to find pointers to > > obtain this kind of information. hi, I think further scaling might be possible with loadbalancers. But this is topic of deeper investigation of the project. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Can strongSwan support 100k concurrent connections?
Hi Varun, we have customers who have successfully been running up to 60k concurrent tunnels. In order to maximize performance please have a look at the use of hash tables for IKE_SA lookup https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable as well as job priority management https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority We also recommend to use file-based logging since writing to syslog extremely slows down the charon daemon https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration The bottleneck for IKE processing is the Diffie-Hellman key exchange where 70-80 % of the computing effort is spent. Use the ecp256 or the new curve25519 (available with strongSwan 5.5.2) DH groups for maximum performance. ESP throughput is limited by the number of available cores and the processor clock frequency. Use aes128gcm16 for maximum performance. Best regards Andreas On 16.01.2017 19:00, Varun Singh wrote: Hi, As I understand, strongSwan supports scalability from 4.x onwards. I am new to strongSwan and to VPN in general. I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. Though I have read that strongSwan supports scalability, I couldn't find stats to support it. Before adopting strongSwan, my team wanted to know *if it can support upto 100k simultaneous connections*. Hence I need to find pointers to obtain this kind of information. -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Can strongSwan support 100k concurrent connections?
Hi, As I understand, strongSwan supports scalability from 4.x onwards. I am new to strongSwan and to VPN in general. I have setup a strongSwan 5.3.5 installed on Ubuntu 16.04LTS. Though I have read that strongSwan supports scalability, I couldn't find stats to support it. Before adopting strongSwan, my team wanted to know *if it can support upto 100k simultaneous connections*. Hence I need to find pointers to obtain this kind of information. -- Regards, Varun ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
