Project

General

Profile

Issue #3566

Number of simultaneous connections limited to 1000 in a cluster

Added by Semsot Gram about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.9.0
Resolution:

Description

Is it passable to limit Number of simultaneous VPN connections in a cluster.
I've tried limiting by rightsourceip solution described in the ticket https://wiki.strongswan.org/issues/801, with no luck.

In the manual I found https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability that it can be done with a fail-save MySQL database cluster. Also found that In-memory address pools do not provide any synchronization

Is it passable to limit simultaneous VPN connections without using MySQL cluster.

Thank you in advance

History

#1 Updated by Tobias Brunner about 1 month ago

  • Status changed from New to Feedback

I've tried limiting by rightsourceip solution described in the ticket https://wiki.strongswan.org/issues/801, with no luck.

While you could use the in-memory HA pools (see HighAvailability), which are split across the cluster nodes, they might not work perfectly in active-active scenarios because clients might get assigned to a node that has no addresses left while the other still has some (it should work in active-passive scenarios, though).

In the manual I found https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability that it can be done with a fail-save MySQL database cluster.

Yes, using a limited shared IP address pool would probably be an option.

Is it passable to limit simultaneous VPN connections without using MySQL cluster.

Maybe you could use authentication via RADIUS to limit the concurrent sessions. (But why limit connections anyway?)

#2 Updated by Semsot Gram about 1 month ago

Thx

Maybe you could use authentication via RADIUS to limit the concurrent sessions. (But why limit connections anyway?)

After reaching particular threshold of simultaneous connections, some services are hammered and work very slow. This is why I am looking to limit amount of simultaneous connections on strongSwan.

#3 Updated by Tobias Brunner about 1 month ago

After reaching particular threshold of simultaneous connections, some services are hammered and work very slow.

So maybe look into that instead.

Also available in: Atom PDF