[strongSwan] AES-CCM encryption performance !?
Jakob Curdes
jc at info-systems.de
Mon Jun 17 13:26:15 CEST 2013
Hello, this is not strictly StrongSwan-related as it only uses the
AES-NI kernel module's encryption capabilities, but I would like to ask
who has experience with the expected performance of an IPSec setup with
AES-NI.
I have a test setup with 9k MTU where the pure link gives me a bandwidth
of ~ 950 Mbit/sec, as expected for a GBit link (all measurements with
IPerf with default windows sizes etc).
When I go via the VPN (destination IP's on the same machines as the link
IPs, but without direct connection), I get a bandwidth around 300
MBit/sec which is largely independent from the MTU. While this is
impressive, I have reports of over 600 MBit/sec achieved:
http://ibatanov.blogspot.de/2012/04/ipsec-performance-benchmarking-is-end.html.
Also I observed that the encryption tasks only use some of the CPUs; I
have a bonded interface with two NICs in rr-fashion and I assume two
CPUs do the encryption for these NICs, driven by interrupts?
What are the performance marks of other users? How could we gain a
higher performance on a 1 GBit link? It seems with an 4-Core Xeon E3 we
should be able in some way to encrypt fast enough for a GBit link?
Best regards,
Jakob Curdes
More information about the Users
mailing list