Hi, > Does anyone have reference numbers about StrongSwan scalability? How many > clients can be supported (in which configuration)?
We have no hard limit, so this highly depends on CPU and available memory. For the IKEv2 daemon, we tested with 20'000 road warrior connections, each IKE_SA+CHILD_SA consumes about 8K of memory. If you properly tune IKE_SA lookup [1], you should get almost linear upscaling. Keep in mind that logging (especially to syslogger) is relatively expensive, have a look at [2]. This should be possible with most responder configurations, handing out virtual IP address from a pool might slow down your setup. > What is the throughput (PPS) (for which configuration? Tunnel setup rate depends on how fast you can do Diffie-Hellman/RSA (see [3]), and which group you use. You might run these tests on your own, use the scripts/ provided with strongSwan. On a Intel quad core system, I have measured 200+ tunnel negotiations/second (1 IKE + 1 CHILD_SA). ESP traffic processing is done in the kernel. Without hardware acceleration, some hundred megabits are possible. Regards Martin [1]http://wiki.strongswan.org/wiki/strongswan/IkeSaTable [2]http://wiki.strongswan.org/wiki/strongswan/LoggerConfiguration [3]http://wiki.strongswan.org/wiki/strongswan/PublicKeySpeed _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
