Hi, the ipsec statusall command shows you the number of threads in actual use:
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 0 Depending on the plugins you are using, between 8-10 threads are permanently assigned to certain tasks. With our default of 16 threads you have about 8 threads available for serving IKE SAs. It makes sense to have about two threads per core so our default usually is ok for a quad-core machine. If you have a lot of connections using EAP or XAUTH based authentication delegated to a RADIUS server or certificate based authentication using OCSP then we recommend to increase the number of threads because a lot of them will be in blocking state waiting for RADIUS or OCSP responses. See also our Job priority management HOWTO http://wiki.strongswan.org/projects/strongswan/wiki/JobPriority which effectively prevents thread attrition. Memory requirements are about 10kB per SA, so 1000 connections need 10MB of RAM and 10'000 connections 100MB. Thus memory usage is usually is not a problem and computing power becomes the decisive factor. If your gateway machine has an Intel processor supporting the AES-NI instruction set then I recommend to use AES128-GCM authenticated encryption for ESP since this algorithm can be tremendously accelerated in hardware. If the VPN client does not support AES-GCM (Windows Vista/7/8 does) then go for AES128-HMAC-SHA1-96. AES is up to a factor of 30 faster than 3DES anyway. Regards Andreas On 02/09/2013 01:02 AM, kgardenia42 wrote: > Hi, > > I am using AWS high-cpu medium instance and I find that when I reach > around 1000 users I get backlogged connection attempts and users start > to complain about slow/backlogged connection attempts. "ipsec status" > seems to confirm this. > > Any suggestions on ways to tune this? Is the number of threads > significant to this? The default number of threads is 16. Is this a > good number for a quad-core machine? Is maybe less threads better if > I only have 4 cores? I realize I can experiment I just would > appreciate some "accepted wisdom". > > Am I correct in thinking that when selecting a server that CPU is the > main factor (rather than memory)? i.e. the more and faster CPUs the > better? I am using AWS high-cpu medium instance I had hoped to get > more users per instance than 1000. What are the key things I should > look at here? > > I had read in the past that setting "esp" to a cheaper cipher may be > helpful but since I am using IOS devices it seems that they don't want > to connect if I set a cheaper cipher. I experimentally set it to the > NULL cipher "null-sha1!". is there any logging I can enable to see > what cipher's a client device supports? > > Any other obvious areas I should look at? > > Thanks. ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
