[Openswan Users] openswan's limitations ?
Craig Kelley
ckelley at ibnads.com
Fri Nov 26 19:27:23 CET 2004
albert agusti wrote:
> Hello all,
>
> I've been testing openswan for some time, and besides some minor rekey
> problems solved very fast with your patch, It works really fine. I've
> been trying to find the maximun supported tunnels in a IPsec Linux
> gateway, and It seems to be only related to cypher speed of processor.
> Could anyone reference the biggest success scenario deployed with
> openswan ? It was done with a single server ? or splitting tunnels
> among some machines ? I'd like to know about any BIG success with
> Linux and IPsec.
We don't have many tunnels (about 30); but we push a LOT of data through
them. All external tunnels end up with non-Openswan solutions
(Checkpoint, Cisco and Raptor mostly) and stay up for months without a
problem. Openswan is very good about keeping them open too. We push
tens of gigabytes of data through them daily. This is on a
Pentium4-class machine that _never_ breaks a sweat. We get varied
responses from our partners when mentioning the use of
Linux/Open[Free]SWAN. Some say "oh, cool!" while others almost recoil.
We have only had major problems with Cisco on the other end; almost all
of them were resolved by the other party installing some patch from
Cisco :-) (the one time where Free/SWAN was at "fault" was when the
policy on the other end was a key time that exceeded the maximum
complied-in value).
It's a fine piece of engineering.
More information about the Users
mailing list