[strongSwan] charon RSA tunnel setup speed hints?

Richard Andrews richard.andrews at symstream.com
Mon Aug 13 12:54:35 CEST 2012

Hi all

I'm building an M2M application using strongswan with RSA-sig auth. I
have a test bed running 5000 tunnels but I'm hitting a bottleneck in
tunnel setup speed. I'm only getting about 5 tunnels per second setup
(charon > 90% CPU).

What should I be investigating to increase the tunnel setup rate?

What crypto acceleration can charon make use of?

The test setup:
 - strongswan-4.6.2 (built from source for 64-bit).
 - RSA sig (2048 bit) + modp1024
 - Unique RSA key per tunnel wrapped in self-signed cert for convenient
ID + pubkey package.
 - 64-bit qemu-kvm guest (CentOS 6) is running charon. The host is a 3.2
GHz quad core machine.

Kernel level encrypted throughput (AES256) is good for my purposes, but
charon is consuming an unexpectedly large amount of CPU time when
tunnels are setup. So I'm guessing it's something specific to the RSA
calculations as AES seems to fly.

There is no other IO, no swap, running completely from RAM.


More information about the Users mailing list