[Openswan Users] openswan's limitations ?
Ted Kaczmarek
tedkaz at optonline.net
Sat Nov 27 05:27:37 CET 2004
On Fri, 2004-11-26 at 19:27 -0700, Craig Kelley wrote:
> albert agusti wrote:
>
> > Hello all,
> >
> > I've been testing openswan for some time, and besides some minor rekey
> > problems solved very fast with your patch, It works really fine. I've
> > been trying to find the maximun supported tunnels in a IPsec Linux
> > gateway, and It seems to be only related to cypher speed of processor.
> > Could anyone reference the biggest success scenario deployed with
> > openswan ? It was done with a single server ? or splitting tunnels
> > among some machines ? I'd like to know about any BIG success with
> > Linux and IPsec.
>
> We don't have many tunnels (about 30); but we push a LOT of data through
> them. All external tunnels end up with non-Openswan solutions
> (Checkpoint, Cisco and Raptor mostly) and stay up for months without a
> problem. Openswan is very good about keeping them open too. We push
> tens of gigabytes of data through them daily. This is on a
> Pentium4-class machine that _never_ breaks a sweat. We get varied
> responses from our partners when mentioning the use of
> Linux/Open[Free]SWAN. Some say "oh, cool!" while others almost recoil.
>
> We have only had major problems with Cisco on the other end; almost all
> of them were resolved by the other party installing some patch from
> Cisco :-) (the one time where Free/SWAN was at "fault" was when the
> policy on the other end was a key time that exceeded the maximum
> complied-in value).
>
> It's a fine piece of engineering.
>
> _______________________________________________
I have 14 on a P3 867mhz, 512 megs, also to Cisco, Checkpoint,
Netscreen, Openswan, and had a Watchguard up as well for a while. All of
this is mission critical and Openswan has been flawless since we
migrated to it.
Ted
More information about the Users
mailing list