[strongSwan] ksoftirq thread reaching 100%

Naveen pncbose at yahoo.com
Thu Apr 3 18:29:44 CEST 2014


$grep pcrypt /proc/crypto  
this command could show something like:
driver : pcrypt(authenc(hmac(sha1-generic),cbc-aes-aesni))


if not enabled, you could try:
$modprobe tcrypt alg="pcrypt(authenc(hmac(sha1),cbc(aes)))" type=3

there may be an error and you can ignore it, if the above command hangs, just ctrl-c and should be good to go.

- Naveen

On Monday, March 31, 2014 6:52 PM, SM K <sacho.polo at gmail.com> wrote:
 
Hi Martin,

Thank you very much for the reply. A few more questions.


>> I have seen this on boxes with aes-ni enabled and also disabled
>
>> The cipher suite chosen is AES-128
>
>AES-NI is quite powerful and should allow you to increase your
>throughput. However, running AES in GCM mode is preferable, as using a
>traditional HMAC integrity function could become the bottleneck
>otherwise.
>
Sadly, some of the firewalls we use do not support GCM. Does AES-NI still help if we are using, say, aes128-sha1?
 

>If that doesn't help, you might consider using parallelized ESP
>processing [1], allowing you to take advantage of a multi-core system.
>

This sounds promising. What do I need to enable this? Our kernel version is 2.6.35-25. How would I check if this is in use?
Are there any gotchas of using this?

Thank you very much for your support.

regards,
skmat.
 

>Regards
>Martin
>
>[1]https://www.strongswan.org/docs/Steffen_Klassert_Parallelizing_IPsec.pdf
>
>


_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140403/ce71098b/attachment.html>


More information about the Users mailing list