[strongSwan] Throughput / tuning

kgardenia42 kgardenia42 at googlemail.com
Wed Dec 12 19:20:59 CET 2012


I am using an AWS Ubuntu 12.04 (64 bit) as my VPN server.

On a side-by-side test I can see about a 50% drop-off in speed
downloading a file via the VPN vs not (to a file-server on the same
LAN as the VPN server) with the client being an IOS device.


20 secs on WIFI
25-30 secs on WIFI + VPN

When the VPN is involved I see a more "bursty" experience.  Almost
like TCP buffers need tuned or whatever.

My question is:  should I expect that level of drop-off (all things
being equal) or does that seem excessive?  It seems somewhat excessive
to me.  Also, in terms of tuning or troubleshooting this, what should
I look at?

Ideas I've had so far:

a] look into a cheaper "esp" setting. Apparently the default is:
aes128-sha256.  Anyone know of a cheaper cipher which will work with
IOS clients?  I tried the NULL cipher setting (esp=null-sha1!) but IOS
clients didn't seem to like that proposal.

b] tune the TCP settings of the kernel.  Can anyone suggest any
settings I should especially look for?  I was thinking things like tcp
rmem/wmem.  Do those apply to strongswan (5.x) since it is not in

c] could MTU be a factor?  Is there anything people normally tune here?

Any other suggestions?  Please mention anything you think could
vaguely help.  A link to any recipes or whatever that may help would
also be great.


More information about the Users mailing list