[strongSwan] Performance issue with 25k IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

Chinmaya Dwibedy ckdwibedy at yahoo.com
Fri Oct 4 08:56:36 CEST 2013

Hi Martin,
I did profiling
the Charon implementation (using perf profiler tool) to find the main
bottleneck with 25k IPsec connections (without data traffic). The perf tool
generates an output file called perf.data. That file can then be analyzed using
the perf report. I found from call stack in the perf profiler ,: gmpn_addmul_1
function in  libgmp.so.3.4.1 consumes
most of the CPU cycles on both the Linux systems ( IKE Initiator as well as  IKE Responder) . It was clearly the hottest
procedure in the Chardon keying daemon (IKEv2). What I understand, the
strongswan uses the gmp library for the implementation of DH and we are using
the DH group as modp1024 at both ends.
Here goes the
results of #perf report
3.72%           charon  libgmp.so.3.4.1                                                                      [.] __gmpn_addmul_1
     0.86%           charon  libcharon.so.0.0.0                                                                   [.] checkout_by_message
     0.38%           charon  libc-2.11.1.so                                                                       [.] memcmp
     0.19%           charon  libgmp.so.3.4.1                                                                      [.] __gmpn_add_n
     0.15%           charon  libgmp.so.3.4.1                                                                      [.] __gmpn_mul_1
     0.10%           charon  libgmp.so.3.4.1                                                                      [.] 0x00000000022ed8
     0.09%           charon  libgmp.so.3.4.1                                                                      [.] __gmpn_sqr_basecase
     0.09%           charon  libgmp.so.3.4.1                                                                      [.]
     0.07%           charon  libgmp.so.3.4.1                                                                      [.] __gmpn_lshift
     0.04%           charon  libgmp.so.3.4.1                                                                      [.]
     0.04%           charon  libc-2.11.1.so                                                                       [.] 0x00000000096284
     0.04%           charon  libpthread-2.11.1.so                                                                 [.]
     0.04%           charon  libpthread-2.11.1.so                                                                 [.] __pthread_rwlock_unlock
     0.02%           charon  libc-2.11.1.so                                                                       [.] __libc_malloc
     0.02%           charon  libgmp.so.3.4.1                                                                      [.] __gmpn_mul_basecase
     0.02%           charon  libgmp.so.3.4.1                                                                      [.] __gmpz_powm
     0.02%           charon  libstrongswan-sha1.so                                                                [.] SHA1Transform
     0.02%           charon  libc-2.11.1.so                                                                       [.] cfree
     0.02%           charon  [kernel.kallsyms]                                                                    [k] sha_transform
     0.02%           charon  libc-2.11.1.so                                                                       [.] vfprintf
     0.02%           charon  libgmp.so.3.4.1                                                                      [.] __gmpn_kara_mul_n
     0.01%           charon  [kernel.kallsyms]                                                                    [k] finish_task_switch
     0.01%           charon  libgmp.so.3.4.1                                                                      [.]
     0.01%           charon  [kernel.kallsyms]                                                                    [k] _raw_spin_unlock_irqrestore
     0.01%           charon  libcharon.so.0.0.0                                                                   [.]
     0.01%           charon  [kernel.kallsyms]                                                                    [k] smp_call_function_many
     0.01%           charon  libstrongswan-sha1.so                                                                [.]
     0.00%           charon  libc-2.11.1.so                                                                       [.] memcpy
     0.00%           charon  libc-2.11.1.so                                                                       [.]
Do I need to
use the Libgcrypt instead of GMP library?  If yes, please suggest how to do that. Or will you suggest drilling down
into  gmpn_addmul_1 function (GMP software component) to figure out the real
Thanks in advance for your help and suggestions.

 From: Martin Willi <martin at strongswan.org>
To: Chinmaya Dwibedy <ckdwibedy at yahoo.com> 
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Wednesday, September 25, 2013 1:10 PM
Subject: Re: [strongSwan] Performance issue with 20k IPsec tunnels (using 5.0.4 strongswan and load-tester plugin)

> I find, there are lots of retransmissions (as it prints the status of
> the initiation with *character mostly) in console. I know, these are
> certainly considered to be bad. But I have set the retransmit_timeout
> and retransmit_tries to 300 seconds and 300 times respectively, which
> is a huge.

The retransmissions usually indicate that one of the peers is
overloaded. Increasing retransmission timeouts can't solve your
performance limitations; this might help to work around the issues you
see in your lab, but certainly does not resemble what you have on a real
setup. Further, the charon.half_open_timeout strongswan.conf setting
defaulting to 30s will delete the IKE_SA on the responder if it does not
come up within that timeout.

As said before, I think you should focus on finding the bottleneck of
your setup rather than adjusting your client configuration. Use a
profiling tool.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131003/bb842a41/attachment.html>

More information about the Users mailing list