[strongSwan] Performance (in)dependent on ingress rate?

Adam Tisovsky tisovsky at gmail.com
Thu Sep 1 16:47:29 CEST 2011

Thank you Nima,

your info is very valuable, as I thought that mentined behavior would be
quite specific for Cisco IOS. Now I'm more encouraged to do that tests :)

BTW, does anybody know of a tool that seeks for a max. forwarding rate using
UDP (iterating the bitrate)? I have been searching for it for a long time,
but unsuccesfully, so probably I'll have to write some script for Iperf.

Thank you

On Thu, Sep 1, 2011 at 11:47 AM, nima chavooshi <nima0102 at gmail.com> wrote:

> Hi
> I had experienced this behavior with snort in inline mode. in my test bed,
> I flow X mega byte on snort machine, X mg without any delay has been handle.
> but I increased traffic by 2 times. but snort machine only could X/2
> handled!
> So I think your information is true.
> Thanks
> On Thu, Sep 1, 2011 at 1:11 AM, Adam Tisovsky <tisovsky at gmail.com> wrote:
>> Hello,
>> I’m doing some benchmarks of IPsec performance on Cisco router and I have
>> experienced the situation described bellow. My question is whether anybody
>> has performed simillar tests on StrongSWAN and can tell how did it behave.
>> When you are gradually increasing the rate of traffic to be secured (using
>> UDP as a transport protocol) you reach the maximum possible throughput of
>> the device. But when you continue increasing the rate of ingress traffic
>> beyond this point, the fowarding rate of device will decrease. Example:
>> Max. throughput of device is 10 Mbps. If Ingress traffic rate is 10 Mbps,
>> then forwarding rate is 10 Mbps.  But when ingress rate is 20 Mbps, you get
>> forwarding rate only 5 Mbps.
>>  I have experienced this on Cisco 1841 router with HW accelerator
>> DISABLED. After some investigation I foud out that more ingress traffic
>> utilizes main CPU more by interrupts. And interrupts go on the expense of
>> encryption process. Therefore the decrease of forwarding rate. With HW
>> accelerator enabled this situation on does not occur, device forwards
>> traffic at the maximum rate even if it’s overloaded by the ingress tarffic.
>> I didin’t find any information dealing with this, however I find it quite
>> interesting. I’m also planning to do the tests on StrongSWAN, but it takes
>> some time. So any information will be helpful in advance.
>> Thank you
>> Adam
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110901/3b03be15/attachment.html>

More information about the Users mailing list