[strongSwan] ksoftirq thread reaching 100%

Naveen pncbose at yahoo.com
Thu Apr 3 18:29:44 CEST 2014

$grep pcrypt /proc/crypto  
this command could show something like:
driver : pcrypt(authenc(hmac(sha1-generic),cbc-aes-aesni))

if not enabled, you could try:
$modprobe tcrypt alg="pcrypt(authenc(hmac(sha1),cbc(aes)))" type=3

there may be an error and you can ignore it, if the above command hangs, just ctrl-c and should be good to go.

- Naveen

On Monday, March 31, 2014 6:52 PM, SM K <sacho.polo at gmail.com> wrote:
Hi Martin,

Thank you very much for the reply. A few more questions.

>> I have seen this on boxes with aes-ni enabled and also disabled
>> The cipher suite chosen is AES-128
>AES-NI is quite powerful and should allow you to increase your
>throughput. However, running AES in GCM mode is preferable, as using a
>traditional HMAC integrity function could become the bottleneck
Sadly, some of the firewalls we use do not support GCM. Does AES-NI still help if we are using, say, aes128-sha1?

>If that doesn't help, you might consider using parallelized ESP
>processing [1], allowing you to take advantage of a multi-core system.

This sounds promising. What do I need to enable this? Our kernel version is 2.6.35-25. How would I check if this is in use?
Are there any gotchas of using this?

Thank you very much for your support.



Users mailing list
Users at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140403/ce71098b/attachment.html>

More information about the Users mailing list