<HTML><HEAD>
<STYLE id=eMClientCss>BLOCKQUOTE.cite {
PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: #cccccc 1px solid; PADDING-RIGHT: 0px; MARGIN-RIGHT: 0px
}
BLOCKQUOTE.cite2 {
PADDING-TOP: 0px; PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: #cccccc 1px solid; MARGIN-TOP: 3px; PADDING-RIGHT: 0px; MARGIN-RIGHT: 0px
}
.plain PRE {
FONT-SIZE: 100%; FONT-FAMILY: monospace; FONT-WEIGHT: normal; FONT-STYLE: normal
}
.plain TT {
FONT-SIZE: 100%; FONT-FAMILY: monospace; FONT-WEIGHT: normal; FONT-STYLE: normal
}
#52c8824632864a758c6797cbe67ed239 {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
.plain PRE {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
.plain TT {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
BODY {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
</STYLE>
</HEAD>
<BODY>
<DIV>Hi all,</DIV>
<DIV> </DIV>
<DIV>I am totally new to linux and strongswan, but after countless hours of reading mailing lists and forums, I have working strongswan 5.2.0 with radius and RSA certficates auth for a variety of devices. <SPAN id=52c8824632864a758c6797cbe67ed239>Currently I am stuck with performance problem (iperf) throw IPSec tunnel from notebook (win8) to server, which are connected throw switch.</SPAN></DIV>
<DIV> </DIV>
<DIV>My server is dual CPU (Xeon E5-2620v2 with AES-NI support) / 6x2 cores (<SPAN class=st>HyperThreading</SPAN> dissabled) / Intel 1Gbps NIC / CentOS v6.5.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Without IPSec I get 640Mbits, cpu load is 18% (one core). Speed quite low, I suspect its because of switch. Will try with crossover cable later.</DIV>
<DIV>------------------------------------------------------------<BR>Client connecting to 10.20.0.1, TCP port 5001<BR>TCP window size: 64.0 KByte (default)<BR>------------------------------------------------------------<BR>[ 3] local 10.0.0.11 port 54248 connected with 10.20.0.1 port 5001<BR>[ ID] Interval Transfer Bandwidth</DIV>
<DIV>[ 3] 0.0-10.0 sec 767 MBytes 643 Mbits/sec</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>With IPSec I get only 181Mbps, cpu load is 14%</DIV>
<DIV><SPAN id=d66040c64cb848ffa3c566c264dace60>------------------------------------------------------------<BR>Client connecting to 10.20.0.1, TCP port 5001<BR>TCP window size: 64.0 KByte (default)<BR>------------------------------------------------------------<BR>[ 3] local 10.20.0.3 port 54513 connected with 10.20.0.1 port 5001<BR>[ ID] Interval Transfer Bandwidth<BR>[ 3] 0.0-10.0 sec 216 MBytes 181 Mbits/sec</SPAN></DIV>
<DIV> </DIV>
<DIV>I am really stuck here, any ideas what could be wrong? I would appreciate any help</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Here is openssl speed test for <SPAN id=48efe4ff72fe46c5a887ce8eb41038e9>aes-128-gcm, which shows 506MBps speed</SPAN>:</DIV>
<DIV><SPAN id=1b43897526d548a19eb413f4a9bc4ad2>------------------------------------------------------------<BR></SPAN>[root@s1 /]# openssl speed -evp aes-128-gcm<BR>The 'numbers' are in 1000s of bytes per second processed.<BR>type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes<BR>aes-128-gcm 205988.85k 506637.18k 654777.26k 708192.94k 727229.15k</DIV>
<DIV> </DIV>
<DIV>My ipsec.conf:</DIV>
<DIV><SPAN id=377b27ea9dac4189896e9a2eb50b3c4b><SPAN id=1b43897526d548a19eb413f4a9bc4ad2>------------------------------------------------------------<BR></SPAN></SPAN>conn %default<BR> auto=add<BR> forceencaps=yes<BR> compress=yes<BR> keyexchange=ike<BR> ikelifetime=3h<BR> lifetime=1h<BR> rekeymargin=3m<BR> margintime=9m<BR> left=%defaultroute<BR> leftsubnet=0.0.0.0/0<BR> leftauth=pubkey<BR> leftcert=server-10.0.0.3.crt<BR> leftfirewall=no<BR> right=%any<BR> rightsourceip=10.20.0.2/16<BR> rightdns=212.59.1.1</DIV>
<DIV> </DIV>
<DIV>conn win7_EAP<BR> keyexchange=ikev2<BR> ike=aes128gcm8-sha256-modp1024<BR> esp=aes128gcm8-sha256-modp1024<BR> dpdaction=clear<BR> dpddelay=300s<BR> rekey=no<BR> rightauth=eap-mschapv2<BR> rightsendcert=never<BR> eap_identity=%any<BR></DIV></BODY></HTML>