[strongSwan] A bug of nat-virtua-ip ?
kenxin lau
liuqixing2005 at gmail.com
Fri Jun 1 14:35:51 CEST 2012
2012/6/1 Martin Willi <martin at strongswan.org>:
> Hi,
>
>> moon :
>> cpu: 333 MHz PowerPC
>
>> Then the client alice send the udp packets of 100 bytes length every
>> 10 microseconds with about 10 threads at one time. Under these
>> circumstances, the idle of moon's CPU would be less than 10%, even
>> 0% .
>
> 10 * 100 bytes / 0.00001s = 100MB/s
>
> If you are really sending this much traffic, your embedded CPU is
> clearly overloaded, I don't think it can handle 100MB/s IPsec traffic.
>
I am so sorry for my spelling error, they are milliseconds ,not
microseconds. The bandwidth is as follow :
10*100 bytes / 0.001 s = 1 MB/s
>> The second experiment, I used the same hardware platform to set up a
>> environment which just set up the NAT and open the ip_forward in the
>> moon. And the udp packets of alice sent out to the gateway sun only
>> through the NAT of moon. The result is that the idle of moon's CPU
>> would be more than 95% all the time
>
> Did you have any IPsec processing in the first or second experiment? Are
> you sure that you have measured this correctly? I don't think that your
> CPU can handle much more than 1MB/s with 5% CPU load...
>
> Regards
> Martin
The first experiment had the IPsec processing , but the second
experiment did not.
The first experiment was the same as the net2net-psk:
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/index.html
The second experiment did not have any IPsec processing, which was
only NAT and route!
In addition, I used the Linux-2.6.39.5 to do the nat-virtua-ip
experiment , I found that it worked better. The delay time was only
less than 2 seconds. Is that anything wrong with the Linux-2.6.32 ?
Regards,
Kenxin
More information about the Users
mailing list