[strongSwan] Throughput / tuning
kgardenia42 at googlemail.com
Wed Dec 12 19:20:59 CET 2012
I am using an AWS Ubuntu 12.04 (64 bit) as my VPN server.
On a side-by-side test I can see about a 50% drop-off in speed
downloading a file via the VPN vs not (to a file-server on the same
LAN as the VPN server) with the client being an IOS device.
20 secs on WIFI
25-30 secs on WIFI + VPN
When the VPN is involved I see a more "bursty" experience. Almost
like TCP buffers need tuned or whatever.
My question is: should I expect that level of drop-off (all things
being equal) or does that seem excessive? It seems somewhat excessive
to me. Also, in terms of tuning or troubleshooting this, what should
I look at?
Ideas I've had so far:
a] look into a cheaper "esp" setting. Apparently the default is:
aes128-sha256. Anyone know of a cheaper cipher which will work with
IOS clients? I tried the NULL cipher setting (esp=null-sha1!) but IOS
clients didn't seem to like that proposal.
b] tune the TCP settings of the kernel. Can anyone suggest any
settings I should especially look for? I was thinking things like tcp
rmem/wmem. Do those apply to strongswan (5.x) since it is not in
c] could MTU be a factor? Is there anything people normally tune here?
Any other suggestions? Please mention anything you think could
vaguely help. A link to any recipes or whatever that may help would
also be great.
More information about the Users