[strongSwan] Low tunnel setup speed with modp768 using the load tester plugin (strongswan 5.0.4)
Chinmaya Dwibedy
ckdwibedy at yahoo.com
Mon Nov 18 13:31:54 CET 2013
Hi,
I am using the load tester plugin (strongswan 5.0.4) to create 20K IPsec tunnels (without data traffic). I have disabled the logging and used pre-shared key authentication mechanism. What I understand, tunnel setup rate depends on how fast Diffie-Hellman exchange can be done and the group used because I think, IKEv2 spends most of its time (more than 80%) in DH exchange. I am using the least expensive modp768. Still I'm hitting a bottleneck in tunnel setup speed. I am only getting about 5 tunnels per second. Did profiling with perf (on Wind River Linux), but the call stack did not find any hotspot in strongswan codebase.
To increase the tunnel establishment rate, do I need to accelerate the generation of the public DH factor
by configuring the strongswan.conf setting (in strongswan.conf file at both the ends) as below? As of now it is under comment.
libstrongswan {
dh_exponent_ansi_x9_42 = no
}
Please point me to right direction, if I have misunderstood or missing anything.
Regards,
Chinmaya
More information about the Users
mailing list