[strongSwan] ksoftirq thread reaching 100%
SM K
sacho.polo at gmail.com
Tue Apr 1 03:52:24 CEST 2014
Hi Martin,
Thank you very much for the reply. A few more questions.
> > I have seen this on boxes with aes-ni enabled and also disabled
> > The cipher suite chosen is AES-128
>
> AES-NI is quite powerful and should allow you to increase your
> throughput. However, running AES in GCM mode is preferable, as using a
> traditional HMAC integrity function could become the bottleneck
> otherwise.
>
Sadly, some of the firewalls we use do not support GCM. Does AES-NI still
help if we are using, say, *aes128-sha1?*
>
> If that doesn't help, you might consider using parallelized ESP
> processing [1], allowing you to take advantage of a multi-core system.
>
This sounds promising. What do I need to enable this? Our kernel version is
2.6.35-25. How would I check if this is in use?
Are there any gotchas of using this?
Thank you very much for your support.
regards,
skmat.
>
> Regards
> Martin
>
> [1]
> https://www.strongswan.org/docs/Steffen_Klassert_Parallelizing_IPsec.pdf
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140331/e565f9e7/attachment.html>
More information about the Users
mailing list