[strongSwan] AES-CCM encryption performance !?

Martin Willi martin at strongswan.org
Mon Jun 17 13:46:07 CEST 2013

Hi Jakob,

> I get a bandwidth around 300 MBit/sec which is largely independent from
> the MTU. While this is impressive, I have reports of over 600 MBit/sec

In my tests between two virtual machines on a single i7-3770 I've got
about the same, 300-400 MBit/sec. 

AES-GCM seems to be much faster, I could achieve rates around 900
MBit/sec. If GCM is an option, I'd definitely give that a try.

> Also I observed that the encryption tasks only use some of the CPUs; I 
> have a bonded interface with two NICs in rr-fashion and I assume two 
> CPUs do the encryption for these NICs, driven by interrupts?

Yes, by default IPsec is bound to a single core, the one that handles
interrupts for your NIC. You may have a look at the pcrypt extension [1]
that allows you to use more cores. I've never tried that myself, though.



More information about the Users mailing list