Le mardi 29 décembre 2009 à 22:14 +0100, Andreas Schuldei a écrit : > i have 8 cores, 18gig ram and a fully switched gigabit network with a > foundry big iron switch. > i would think that is plenty.
Perfect. In your case, the output is quite low, so I agree there is a problem somewhere. > why would it be a problem to have apache on the same machine? that is > the whole point of ipsec transport mode: to provide a secure > host-to-host transport. Only for performance issues (if you need very high-speed), my natural guess would be to use a dedicated gateway with hardware encryption (using only supported cyphers) with a cross-cable to a dedicated webserver. My guess is that there is something wrong with your Apache configuration. It should not reach 90% of CPU usage. Try apache2-mpm-prefork and tweak Apache process memory. But I guess you already tried it? I don't know the impact of shared memory on strongSwan. I don't know to what extent strongSwan is multithreaded and I did not look at the code. Anyway, I cannot help you further, my knowledge in strongSwan is too little. When this is fixed, it would be nice to write a performance HOWTO. Bye, Jean-Michel
signature.asc
Description: Ceci est une partie de message numériquement signée
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
