[Openswan Users] openswan's limitations ?

[Craig Kelley]

albert agusti wrote:

> Hello all,
>
> I've been testing openswan for some time, and besides some minor rekey 
> problems solved very fast with your patch, It works really fine. I've 
> been trying to find the maximun supported tunnels in a IPsec Linux 
> gateway, and It seems to be only related to cypher speed of processor. 
> Could anyone reference the biggest success scenario deployed with 
> openswan ? It was done with a single server ? or splitting tunnels 
> among some machines ? I'd like to know about any BIG success with 
> Linux and IPsec.

We don't have many tunnels (about 30); but we push a LOT of data through 
them.  All external tunnels end up with non-Openswan solutions 
(Checkpoint, Cisco and Raptor mostly) and stay up for months without a 
problem.  Openswan is very good about keeping them open too.  We push 
tens of gigabytes of data through them daily.  This is on a 
Pentium4-class machine that _never_ breaks a sweat.  We get varied 
responses from our partners when mentioning the use of 
Linux/Open[Free]SWAN.  Some say "oh, cool!" while others almost recoil.

We have only had major problems with Cisco on the other end; almost all 
of them were resolved by the other party installing some patch from 
Cisco :-)  (the one time where Free/SWAN was at "fault" was when the 
policy on the other end was a key time that exceeded the maximum 
complied-in value).

It's a fine piece of engineering.