[strongSwan] ksoftirq thread reaching 100%

SM K sacho.polo at gmail.com
Tue Apr 1 03:52:24 CEST 2014


Hi Martin,

Thank you very much for the reply. A few more questions.


> > I have seen this on boxes with aes-ni enabled and also disabled
> > The cipher suite chosen is AES-128
>
> AES-NI is quite powerful and should allow you to increase your
> throughput. However, running AES in GCM mode is preferable, as using a
> traditional HMAC integrity function could become the bottleneck
> otherwise.
>
Sadly, some of the firewalls we use do not support GCM. Does AES-NI still
help if we are using, say, *aes128-sha1?*


>
> If that doesn't help, you might consider using parallelized ESP
> processing [1], allowing you to take advantage of a multi-core system.
>

This sounds promising. What do I need to enable this? Our kernel version is
2.6.35-25. How would I check if this is in use?
Are there any gotchas of using this?

Thank you very much for your support.

regards,
skmat.


>
> Regards
> Martin
>
> [1]
> https://www.strongswan.org/docs/Steffen_Klassert_Parallelizing_IPsec.pdf
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140331/e565f9e7/attachment.html>


More information about the Users mailing list