Hi Omar, hi Martin, we are in front of the challenge to saturate 4x 1 Gbit/s Links with IPsec and found this whitepaper:
http://download.intel.com/design/intarch/papers/324238.pdf As conclusion: You need a newer Xeon with aes-ni instruction set, a very recent kernel including the Intel module patches for these instructions, and maybe a RFS capable NIC. Read also: http://lwn.net/Articles/382428/ HTH, Alex ----- Ursprüngliche Mail ----- Von: "Martin Willi" <[email protected]> An: "Omar Armas" <[email protected]> CC: [email protected] Gesendet: Dienstag, 14. Dezember 2010 16:59:07 Betreff: Re: [strongSwan] strongswan limits Hi Omar, > -Do you have any idea about what would be the limits (throuput, > sessions/sec) of a Strongswan installation using a Quad Xeon 2.2Ghz, > 4Gb RAM + Debian 5? Any idea about how to measure it? IKE (and ESP) tunnel setup rate is mostly limited by your asymmetric crypto performance, we have some numbers at [1]. We did some upscaling work for up to 20K concurrent IKE+ESP tunnels, you'll find more information about the tools at [2]. Raw ESP data throughput depends on packet size, and most Kernels are limited to a single core (somewhere between ~200-500 Mbit/s on your CPU?). With a kernel supporting IPsec processing on multiple cores, it might be possible to saturate a 1Gbit link. TCP session setup is not directly related to IPsec processing and depends on what you're doing with these sessions on the gateway (connection tracking, firewalling, ...). Regards Martin [1]http://wiki.strongswan.org/projects/strongswan/wiki/PublicKeySpeed [2]http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
