[strongSwan] Strongswan 5.1.3: traffic processing spans to only one core in a multi-core environment

Shahreen Ahmed sahmed at adax.co.uk
Fri Jul 11 17:15:41 CEST 2014 

Hello Martin,

I am currently using 'esp=aes128gcm16' based encryption and seeing 
improvement in throughput. The authentication is based on x.509 
certificates and the server CPU has 'aes' flag enabled.

I am following this link below as a reference on performance measurement 
done by Intel.

http://www.intel.com/content/www/us/en/intelligent-systems/wireless-infrastructure/aes-ipsec-performance-linux-paper.html

Where 2Gbps could be achieved with single core using AES-NI-GCM crypto 
driver.

Can you please give me a bit of guideline on to get this much 
throughput, if I would need to take any further configuration 
option/trick into account.

Your response would be highly appreciated.

Thanks,
Shahreen

Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: www.adax.com
e-mail: sahmed at adax.co.uk
Direct line: +44(0)118 952 2804

On 09/07/2014 16:47, Shahreen Ahmed wrote:
> Hi Martin,
>
> In my setup I used AES-128 encryption with pre-shared key based 
> authentication.
>
> On the following hashed mark point, can you please give me a bit more 
> detail about how should we make the following into effect i,e enabling 
> AES-NI or AES-GCM? Should we do it using ipsec.conf config files or we 
> need something else?
>
> ##
> AES-NI is quite powerful and should allow you to increase your
> throughput. However, running AES in GCM mode is preferable, as using a
> traditional HMAC integrity function could become the bottleneck
> otherwise.
>
> ##
>
> Thanks,
> Shahreen
>
> Shahreen Noor Ahmed
> Network Support Department
> Adax Europe Ltd
> url: www.adax.com
> e-mail: sahmed at adax.co.uk
> Direct line: +44(0)118 952 2804
>
> On 02/07/2014 10:56, Martin Willi wrote:
>> Hi,
>>
>>> By stressing with traffic it seems I can achieve maximum 43% line rate
>>> for larger Pkt size (1400b) and only 28% line rate for smaller packet
>>> size (256b).
>>>
>>> Looking at the top output it seems that only 1 core is occupied and
>>> reaches to 100% of consumption.
>> This is what to expect, and has been discussed a few times, for example
>> at [1].
>>
>> Regards
>> Martin
>>
>> [1]https://www.mail-archive.com/users@lists.strongswan.org/msg07386.html
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list