[strongSwan-dev] StrongSwan 5.6.3, Netlink performance issue as responder.

Tobias Brunner tobias at strongswan.org
Tue Dec 4 11:42:19 CET 2018

Hi Vinay,

> What I mean by this is request and response for the kernel-netlink
> messages are taking more and more time as the number of established
> tunnels count, I have tried both with the parallel option enabled and
> disabled, see the observation for both below.

I'd say that's to be expected and probably related to how the kernel
manages policies.  They are stored in a linear list, sorted by priority.
 So every additional CHILD_SA takes longer to install because the
policies have to be inserted in the correct location in that list.

> 1. When parallel flag

I wouldn't expect this to change anything because the kernel has to lock
the policy lists and SA hash tables globally.

You could try if the settings in the
charon.plugins.kernel-netlink.spdh_thresh section in strongswan.conf [1]
help, which configure the kernel to hash parts of the selectors of the
policies (how well that works depends on the negotiated traffic
selectors and the configured thresholds).  Note that the size of the
policy hash table can't be configured, it's limited to 8 buckets (so if
you manage to hash policies you get eight lists instead of one, or nine
if you consider the overflow list for policies that aren't hashed due to
the thresholds).

> Note: Route installation is disabled.

You mean via charon.install_routes?  That's good, as installing one or
more routes for every client is another bottleneck with lots of clients.
 And if e.g. virtual IPs are used, a single route can easily cover all
clients if it's even necessary.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf

More information about the Dev mailing list