Is there any limit on maximum number of ipsec tunnels



  • Hi,
    I wanted to create around 40+ ipsec tunnels with 1 pfsense installation to 39 others located  in different part of the world. I am wondering is there any limit?
    if no what is the meaning of this

    /var/etc/ipsec/strongswan.conf

    charon {

    number of worker threads in charon

    threads = 16
            ikesa_table_size = 32



  • It's only limited by the hardware. Strongswan suggests tuning the ikesa_table_size if you are running thousands of connections. https://wiki.strongswan.org/projects/strongswan/wiki/IkeSaTable
    FWIW, on old server-class hardware, I see 11/16 threads idle with 32 tunnels active. You should be fine with 40 tunnels, see the Strongswan doc for fine detail on the config settings.



  • Hello
    I've 50 phase 1 and 150 phase 2 on my pfsense server (hp G8).

    CPU Type	Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz
    8 CPUs: 2 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)
    Hardware crypto	AES-CBC,AES-XTS,AES-GCM,AES-ICM
    

    The last tunnel I created is causing trouble. Phases 1 and 2 UP from time to time and when they are UP, I have no traffic passed.

    I tested this vpn on a virtual machine pfsense and everything is OK.

    I wonder if I'm reaching a tunnel limit. If yes, how to properly modify the ikesa_table_size value to 1024 so that it is taken into account in case of reboot / upgrade?

    Thank you for your help.