<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Noel,<div class=""><br class=""></div><div class="">thanks for your response. <br class=""><div><blockquote type="cite" class=""><div class="">On 11 May 2017, at 22:38, Noel Kuntze <<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" class="">noel.kuntze+strongswan-users-ml@thermi.consulting</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hello Christian,<br class=""><br class=""><blockquote type="cite" class="">Then I simulate a *varying delay* in the network cards and this seems to be the problem because when I make a ping between the two networks over vpn and internet latency is around*70ms (30ms deviation)*. The two servers have ping times around 32ms (3ms deviations). With varying delay activated the simulated throughput is only around 55MBit. My question is now if there is any *tuning possibility* in strongswan to*deal *with this *varying latency*.<br class=""></blockquote><br class="">You can't, because no VPN packets go through strongSwan.<br class=""></div></div></blockquote><div>Ok. So this is because strongswan is using Linux kernel for encryption and packet routing?! </div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class=""><blockquote type="cite" class=""><br class="">Kind regards <br class="">Christian <br class=""><br class="">conn RoutertoRouter<br class=""> keyexchange=ikev2<br class=""> right=192.168.100.2<br class=""> rightid=@test1<br class=""> rightsubnet=10.5.0.0/16<br class=""> left=192.168.100.1<br class=""> leftsubnet=10.4.0.0/16<br class=""> leftid=@test2<br class=""> auto=add<br class=""> authby=secret<br class=""> ikelifetime=3h<br class=""> keylife=600s<br class=""> rekeymargin=200s<br class=""> leftfirewall=yes<br class=""> mobike=no<br class=""> fragmentation=no<br class=""> keyingtries=%forever<br class=""> closeaction=restart<br class=""> dpdaction=restart<br class=""> esp=aes128-sha1-modp2048<br class=""> ike=aes128-sha1-modp2048<br class=""></blockquote><br class="">That conn is pretty bad.<br class="">Use auto=route, don't set closeaction. Don't set fragmentation (it only makes things worse, if you ever disable it, because it's not used when it's not needed anyway).<br class="">You can probably replace aes128-sha1 with aes128gcm8(-prfsha256). That is very likely faster (lower CPU load).<br class=""></div></div></blockquote><div>Ok I changed the connection to make it faster (config is added below). However I can see no change in the performance with varying delay in the network...</div><div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">conn RoutertoRouter</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> keyexchange=ikev2</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> right=192.168.100.2</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> rightid=@</span>test2</div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> rightsubnet=10.5.0.0/16</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> left=192.168.100.1</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> leftsubnet=10.4.0.0/16</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> leftid=@test1</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> auto=route</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> authby=secret</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> ikelifetime=3h</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> keylife=600s</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> rekeymargin=200s</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> leftfirewall=yes</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> mobike=no</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> keyingtries=%forever</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> esp=aes128gmac-sha1-modp2048!</span></div><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> ike=null-sha1-modp2048!</span></div></div><div><br class=""></div><div><br class=""></div>Kind regards</div><div>Christian <br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class="">Kind regards,<br class="">Noel<br class=""><br class="">-- <br class="">Noel Kuntze<br class="">IT security consultant<br class=""><br class="">GPG Key ID: 0x0739AD6C<br class="">Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C<br class=""><br class=""><br class=""></div></div></blockquote></div><br class=""></div></body></html>