Issue #3566
Number of simultaneous connections limited to 1000 in a cluster
Description
Is it passable to limit Number of simultaneous VPN connections in a cluster.
I've tried limiting by rightsourceip solution described in the ticket https://wiki.strongswan.org/issues/801, with no luck.
In the manual I found https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability that it can be done with a fail-save MySQL database cluster. Also found that In-memory address pools do not provide any synchronization
Is it passable to limit simultaneous VPN connections without using MySQL cluster.
Thank you in advance
History
#1 Updated by Tobias Brunner about 1 month ago
- Status changed from New to Feedback
I've tried limiting by rightsourceip solution described in the ticket https://wiki.strongswan.org/issues/801, with no luck.
While you could use the in-memory HA pools (see HighAvailability), which are split across the cluster nodes, they might not work perfectly in active-active scenarios because clients might get assigned to a node that has no addresses left while the other still has some (it should work in active-passive scenarios, though).
In the manual I found https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability that it can be done with a fail-save MySQL database cluster.
Yes, using a limited shared IP address pool would probably be an option.
Is it passable to limit simultaneous VPN connections without using MySQL cluster.
Maybe you could use authentication via RADIUS to limit the concurrent sessions. (But why limit connections anyway?)
#2 Updated by Semsot Gram about 1 month ago
Thx
Maybe you could use authentication via RADIUS to limit the concurrent sessions. (But why limit connections anyway?)
After reaching particular threshold of simultaneous connections, some services are hammered and work very slow. This is why I am looking to limit amount of simultaneous connections on strongSwan.
#3 Updated by Tobias Brunner about 1 month ago
After reaching particular threshold of simultaneous connections, some services are hammered and work very slow.
So maybe look into that instead.