[strongSwan] AES-CCM encryption performance !?

Jakob Curdes jc at info-systems.de
Mon Jun 17 13:26:15 CEST 2013

Hello, this is not strictly StrongSwan-related as it only uses the 
AES-NI kernel module's encryption capabilities, but I would like to ask 
who has experience with the expected performance of an IPSec setup with 

I have a test setup with 9k MTU where the pure link gives me a bandwidth 
of ~ 950 Mbit/sec, as expected for a GBit link (all measurements with 
IPerf with default windows sizes etc).
When I go via the VPN (destination IP's on the same machines as the link 
IPs, but without direct connection), I get a bandwidth around 300 
MBit/sec which is largely independent from the MTU. While this is 
impressive, I have reports of over 600 MBit/sec achieved: 

Also I observed that the encryption tasks only use some of the CPUs; I 
have a bonded interface with two NICs in rr-fashion and I assume two 
CPUs do the encryption for these NICs, driven by interrupts?

What are the performance marks of other users? How could we gain a 
higher performance on a 1 GBit link? It seems with an 4-Core Xeon E3 we 
should be able in some way to encrypt fast enough for a GBit link?

Best regards,
Jakob Curdes

More information about the Users mailing list