[strongSwan] very low performance of IKEv2 ESP, please help

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Kemeris, Hello Martin,

ESP decryption and verification isn't done by strongSwan. It's done by the kernel. Hence, kernel algorithms are used.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 03.10.2014 um 13:10 schrieb kemeris:
>  Thank you for your reply Martin,
>
>
>> The esp= keyword has an implicit fallback proposal if you don't append
>> an exclamation mark, refer to the ipsec.conf manpage for details.
> I feel silly right now, this was my mistake as I already saw this on manpage.
>
>> Most likely you are actually using AES256 with SHA1-HMAC, for which
>> 181Mbps is in the range of what to expect.
> You are absolutely right, and looks like Win8 also does not support AES-GCM.
> Anyway, with AES_CBC_128 I have quite similar results, about 205Mbps.
>
>> If you need more throughput for these clients, you probably want to have
>> a look at the Linux pcrypt extensions to parallelize IPsec to multiple
>> cores.
> Thanks, I have already saw Steffen Klassert document. At the moment I want to get max performance from one core.
>
> I really want to understand, what is limiting factor in this particular case. My server can handle 600Mbps unencrypted traffic using one core, encryption of aes-128-cbc can achieve 405MBps also with one core (at least with OpenSSL library). Why I get only 181Mbps while core load is only 14%.
>
> Most important thing to me is to understand whole picture. Can you point me to right direction for future reading?
> Also, how to check what crypto library strongswan currently use. Maybe switching to newer kernel would help, my current kernel is v2.6.32.
>
> Thank you in advance
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJULoRqAAoJEDg5KY9j7GZYZcMP/2/Pp+Fp2qI9ECZgC6aVPpZS
9qwBB7XYNzJ7DorHuoyaj8Op79SRGwuDsRPT+M1FD0LQ9oZ9p5BYL18fZoVQsBpy
usFxyRBsyAoN9S/6Gth61/IyX9usgZmNLDlOqKxswB3LYKT22s7UnZBZC6lsMhhX
vTfObdeNp6tLzqzXuxjtanwaSXuroSy2/bWjxsrfrRB7y2p6qNfGKRxNbVqF6oaT
KhlKI13KohUmMn895rUqc8qVvmCtCxI+eWph9nPzOHa1jlUs+si3rJxn6jmxSsKD
6D8sTcx9s50AQxJViI5RXH/3qWocKm87w9Ju0j0d10gQn8+NIbtj6vAj89lrhxi6
FGepGD12rDG5l1dKJx2Y5XfaOhnWFTMYOaYcIs64nBd27viQ2NuyauMIF6+M95Sy
K2IfRTfJGkR9+S8D+hmcUYRdEA6bFyaiLMME/TDkktNxhbaX2gYbBe1qeJT8Embt
d+A5DYDhQr8aLMN6Ysie9IcgiEEyicu8RAUJ4JANfDUCt4fWCIWbT5gPZ3Y1kowi
mUrGePwR/+VFic3p90EjYd6rwBAippfAv1ODVUgxWQSq5qKWzUR6LSnpghmTlZif
G+LyoP9YMxSAPAbGojP5g6dGc6Ya+yOn68YHeJ89qko2Bksj3V6LhpZuv9MTNBBx
0G3Ad9TpLriLPfjNji3E
=ZH1L
-----END PGP SIGNATURE-----