Hi team
I would like to introduce some new commands that it helps us with the performance / limitations in IPSEC on IPSEC . it would be found :
vyos@vyos:~$ cat /etc/strongswan.d/charon.conf
by default , strongswan sets it :
charon.ikesa_table_segments 1 Number of exclusively locked segments in the hash table, see IKE_SA lookup tuning. charon.ikesa_table_size 1 Size of the IKE_SA hash table, see IKE_SA lookup tuning. charon.threads 1 Number of worker threads in charon. Several of these are reserved for long running tasks in internal modules and plugins. Therefore, make sure you don't set this value too low. The number of idle worker threads listed in ipsec statusall might be used as indicator on the number of reserved threads (JobPriority has more on this).
therefore , if you need to increase the number of tunnels by performance or clients connected simultaneously, Strongswan recommends it :
https://wiki.strongswan.org/projects/strongswan/wiki/ikesatable
https://wiki.strongswan.org/projects/strongswan/wiki/JobPriority
the idea is that we can change by vyos-cli's (it could be a global command) , these parameters:
# Number of exclusively locked segments in the hash table. # ikesa_table_segments = 1 # Size of the IKE_SA hash table. # ikesa_table_size = 1 # Number of worker threads in charon. # threads = 16
thanks