[strongSwan] charon RSA tunnel setup speed hints?

Andreas Steffen andreas.steffen at strongswan.org
Mon Aug 13 20:47:18 CEST 2012

Hi Rich,

IKEv2 spends most of its time (more than 80%) in public key
computations (DH exchange and RSA signature generation).

One way to accelerate the generation of the public DH factor
without compromising security is the strongswan.conf setting

libstrongswan {
  dh_exponent_ansi_x9_42 = no

If you want still more big number acceleration then you
would need a hardware accelerator with an OpenSSL engine

With more than 2000 tunnels linear search of the IKE SAs
gets very slow. Read our HOWTO telling you to how to use hash
tables to speed up the search:


Best regards


On 13.08.2012 12:54, Richard Andrews wrote:
> Hi all
> I'm building an M2M application using strongswan with RSA-sig auth. I
> have a test bed running 5000 tunnels but I'm hitting a bottleneck in
> tunnel setup speed. I'm only getting about 5 tunnels per second setup
> (charon > 90% CPU).
> What should I be investigating to increase the tunnel setup rate?
> What crypto acceleration can charon make use of?
> The test setup:
>  - strongswan-4.6.2 (built from source for 64-bit).
>  - RSA sig (2048 bit) + modp1024
>  - Unique RSA key per tunnel wrapped in self-signed cert for convenient
> ID + pubkey package.
>  - 64-bit qemu-kvm guest (CentOS 6) is running charon. The host is a 3.2
> GHz quad core machine.
> Kernel level encrypted throughput (AES256) is good for my purposes, but
> charon is consuming an unexpectedly large amount of CPU time when
> tunnels are setup. So I'm guessing it's something specific to the RSA
> calculations as AES seems to fly.
> There is no other IO, no swap, running completely from RAM.
> --
>   Rich
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4502 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120813/022376c7/attachment.bin>

More information about the Users mailing list