[strongSwan] ksoftirq thread reaching 100%
Naveen
pncbose at yahoo.com
Thu Apr 3 18:29:44 CEST 2014
$grep pcrypt /proc/crypto
this command could show something like:
driver : pcrypt(authenc(hmac(sha1-generic),cbc-aes-aesni))
if not enabled, you could try:
$modprobe tcrypt alg="pcrypt(authenc(hmac(sha1),cbc(aes)))" type=3
there may be an error and you can ignore it, if the above command hangs, just ctrl-c and should be good to go.
- Naveen
On Monday, March 31, 2014 6:52 PM, SM K <sacho.polo at gmail.com> wrote:
Hi Martin,
Thank you very much for the reply. A few more questions.
>> I have seen this on boxes with aes-ni enabled and also disabled
>
>> The cipher suite chosen is AES-128
>
>AES-NI is quite powerful and should allow you to increase your
>throughput. However, running AES in GCM mode is preferable, as using a
>traditional HMAC integrity function could become the bottleneck
>otherwise.
>
Sadly, some of the firewalls we use do not support GCM. Does AES-NI still help if we are using, say, aes128-sha1?
>If that doesn't help, you might consider using parallelized ESP
>processing [1], allowing you to take advantage of a multi-core system.
>
This sounds promising. What do I need to enable this? Our kernel version is 2.6.35-25. How would I check if this is in use?
Are there any gotchas of using this?
Thank you very much for your support.
regards,
skmat.
>Regards
>Martin
>
>[1]https://www.strongswan.org/docs/Steffen_Klassert_Parallelizing_IPsec.pdf
>
>
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140403/ce71098b/attachment.html>
More information about the Users
mailing list