[Openswan Users] openswan's limitations ?

Ted Kaczmarek tedkaz at optonline.net
Sat Nov 27 05:27:37 CET 2004


On Fri, 2004-11-26 at 19:27 -0700, Craig Kelley wrote:
> albert agusti wrote:
> 
> > Hello all,
> >
> > I've been testing openswan for some time, and besides some minor rekey 
> > problems solved very fast with your patch, It works really fine. I've 
> > been trying to find the maximun supported tunnels in a IPsec Linux 
> > gateway, and It seems to be only related to cypher speed of processor. 
> > Could anyone reference the biggest success scenario deployed with 
> > openswan ? It was done with a single server ? or splitting tunnels 
> > among some machines ? I'd like to know about any BIG success with 
> > Linux and IPsec.
> 
> We don't have many tunnels (about 30); but we push a LOT of data through 
> them.  All external tunnels end up with non-Openswan solutions 
> (Checkpoint, Cisco and Raptor mostly) and stay up for months without a 
> problem.  Openswan is very good about keeping them open too.  We push 
> tens of gigabytes of data through them daily.  This is on a 
> Pentium4-class machine that _never_ breaks a sweat.  We get varied 
> responses from our partners when mentioning the use of 
> Linux/Open[Free]SWAN.  Some say "oh, cool!" while others almost recoil.
> 
> We have only had major problems with Cisco on the other end; almost all 
> of them were resolved by the other party installing some patch from 
> Cisco :-)  (the one time where Free/SWAN was at "fault" was when the 
> policy on the other end was a key time that exceeded the maximum 
> complied-in value).
> 
> It's a fine piece of engineering.
> 
> _______________________________________________
I have 14 on a P3 867mhz, 512 megs, also to Cisco, Checkpoint,
Netscreen, Openswan, and had a Watchguard up as well for a while. All of
this is mission critical and Openswan has been flawless since we
migrated to it. 


Ted





More information about the Users mailing list