[Openswan Users] Scalability and performance of OpenSwan tunnels compared to individual SSL request/response cycles

[Paul Wouters]

On Wed, 24 Aug 2011, Samba wrote:

> Here are my questions/doubts regarding the scalability/performance of this setup:
>  *  First of all, we plan to use CentOS6, so will the kernel support for IPSec in CentOS6 sufficient to establish
>     tunnels between machines or should I need to OpenSwan still?

openswan is part of centos. You have a choice of NETKEY kernel stack and KLIPS kernel stack.
You can pick the default NETKEY stack, unless you have overlapping IPs on your connecting clients
subnets (eg multiple 192.168.0.0/16 subnets or duplicate subnets behind a NAT router). Then you
need to use KLIPS with SAref.

>  *  Can the IPSec software scale as much as we need to support creating a few thousand tunnels on the server machine
>     with the above mentioned hardware configuration?

Yes.

>  *  What will be the CPU  and memory consumption when we make those many tunnels on the server machine?

Memory consumption is pretty low. CPU usage depends on amount of traffic, not the amount of tunnels.

>  *  It is said that a web server scales many times  for ordinary https requests than keep-alive https requests; wouldn't
>     that same analogy apply here where having each application make a separate SSL request for a short period of time
>     and closing the connection scale much better than having those many thousands of dedicated tunnels running live,
>     although idly?

Yes, it should reduce the overhead of SSL/TLS. The IPsec SA lookup should be really fast per-packet.

>  *  we would want the server system to also do some very essential stuff other than managing this tunnelling business,
>     so can this design scale and perform reasonably?

I think so, but it depends on the other things you run and how much resources those take.

Paul