[Openswan Users] Max Number of Ipec tunnel

Randy B randy at pillowfactory.org
Fri May 20 22:22:41 CEST 2005


> anyone know how many tunnel i can stablished in a
> roadwarrior configuration with openswan?

The typical answer to this is 'as many as your hardware can handle'

> or better.. i need like 300 vpn conections with AES +
> SHA  with http traffic (like 32kbps/client). what kind
> of hardware i need? is better buy a dedicated vpn
> hardware?

IRL, I've been working out some of these numbers myself.  I set up a
worst-case baseline system of 3DES/SHA/L2TP and was able to sustain
~40Mb/s with a dual 1-GHz P-III system (yes, L2TP/PPTP ate up an extra
25 cycles/bit).  Scale that out, and I designed (still have running) a
load-balanced pair of servers that should be capable of ~80Mb/s.  The
intended load is 800-1000 concurrent ~20kBps RDP clients.  Put that on
modern hardware (IBM e326, for example), and you're looking at serious
throughput.  I work in some of the largest-scale applications possible,
and I didn't see any need for specialized hardware other than the fact
that upper management still doesn't understand/like 'naked' Linux -
they'll swallow it as a 'black box'.  Danged execs and their supposed
understanding of legal issues.  Wish they'd talk to the lawyers.

Depending on your need and the network architecture you need, some
decent IPSec appliances seem to come out of both Astaro and Bluesocket.
 If your management team will go for it, I recommend a
general-processing box; there is indeed more administrative overhead
with a more complex machine, but you can make it do everything you want,
precisely how you want it.  No paying someone else to segregate your
clients into different VLANs - do it yourself!

RB


More information about the Users mailing list