[Openswan Users] multiple tunnels between two GateWays

Andy Gay andy at andynet.net
Tue Jul 31 15:21:40 EDT 2007 

On Tue, 2007-07-31 at 12:51 -0400, Paul Wouters wrote:
> On Tue, 31 Jul 2007, Paul Whelan wrote:
> 
> > i was reading performance about freeswan
> > http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/performance.html
> 
> Ahh, those are very old numbers....
> 
> > which would follow on to openswan would it? I need to open as much tunnels as
> > i can, will i need a different ip for each tunnel? can i just change the
> > encryption method or something minor so it'll be a different tunnel than
> > another one?
> 
> If you only care about meassuring phase-2,eg IPsec packet sending, and not
> really about phase1 (IKE), then sure, you can add multiple tunnels by
> just copying a conn definition, renaming it and setting an esp= line.

How about using port selectors? That way you should be able to add a lot
of tunnels.

IMO, phase1 performance is  just as important though. In real world
scenarios you're not likely to have lots of tunnels using the same
phase1. Lots of clients connecting to 1 server is more common, in which
case they all need their own IKE SA as well.

I once built a test setup between 2 servers running 4096 tunnels all
with different phase1. I don't remember all the details, I can probably
find some notes if I search hard enough... IIRC, it involved setting up
dummy interfaces on each server and assigning 64 addresses to each, then
constructing 4096 tunnel definitions to build the full mesh between all
possible address pairs. I remember I used X.509 certs as well to ensure
unique identities for each phase1. 

It worked OK, until one end was restarted, which would force all the
tunnels to be rebuilt at the same time. Bad things happen then... I
found I had to rate-limit new incoming IKE phase 1 connections (to
udp/500) to <10/sec using an iptables limit match, otherwise there were
so many retransmissions that nothing ever got through. And it was
necessary to use nhelpers=0, or pluto would crash.

I should probably re-run that test sometime, to see if the pluto crash
is fixed. I still don't trust nhelpers>0!

- Andy

More information about the Users mailing list