On Tue, 2012-08-14 at 12:56 +0200, Tobias Brunner wrote: > > Having looked at the code. In backend_manager.c there appears to be a > > linear search through the peer table for candidates matching all the > > required criteria. > > > > Are there any alternative search implementations for larger peer sets? > > No, currently not. Even for gateways handling thousands of tunnels a > few of simple road-warrior configs (right=%any etc.) are usually enough, > making this lookup very fast. > The problem in your case is probably that you have a config for each > client with rightcert=<clientcert> because each client has a self-signed > certificate. Issuing all these certificates from a common CA would > avoid this as only a single connection entry would be required to handle > all clients.
Using a CA has some significant downsides for me. RSAsig looks the best. Is there a EAP or similar mechanism that can be used to offload RSAsig authentication to a AAA server? Would one of the DB back-ends be faster? I'm aiming for 20,000 tunnels and 50 auth per sec (peak) on a gateway. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
