[strongSwan] strongswan poor performance

Noel Kuntze noel at familie-kuntze.de
Mon Jul 28 16:09:28 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Miroslav,

The processing of the traffic takes place in kernel threads, not in the daemon.
To properly look at the load of ipsec, you have to look at the CPU usage of the system threads.
IPsec in kernel space isn't parallelized at all. If you want panellized processing of ESP and AH packets in kernel space,
you should look at [1] and ask Martin Willi or Tobias Brunner about this topic.

[1] http://www.strongswan.org/docs/Steffen_Klassert_Parallelizing_IPsec.pdf

Regards,
Noel Kuntze
 
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 28.07.2014 um 15:50 schrieb Miroslav Kubiczek:
> Hi,
>
> I’m trying to figure out what’s the bottleneck of on strongswan machine with this network setup:
>
> I have:
> * several VPN clients (using vpnc https://www.unix-ag.uni-kl.de/~massar/vpnc/ - trying to simulate an iPhone)
> * one lighthttp server.
> * one strongswan gateway with this options:
>
>>       i_dont_care_about_security_and_use_aggressive_mode_psk=yes
>> conn ios
>       keyexchange=ikev1
>       authby=xauthpsk
>       xauth=server
>       aggressive = yes
>       left=10.30.10.213
>       leftsubnet=0.0.0.0/0
>       right=%any
>       rightsourceip=10.30.11.120/29
>       rightdns=208.67.220.220
>       auto=add
>       type=tunnel
>       rekey=no
>
>
> When I fire HTTP requests (using a perf test tool) I get just 100 msg/s whereas without VPN it goes up to 6.000 msg/s.
> Network traffic on strongswan is just on 800k/s on UDP 4500 no matter of how many clients I use.
> TOP doesn’t show any process to go above 10%. Increasing number of CPUs also doesn’t help.
>
> Can anybody give me a clue of how to find the bottleneck?
>
>
> Thanks,
> Miro
>
>
>
> *****************************************This email and any files transmitted with are confidential and intended solely for the use of the individual or entity to whom they are addressed.  If you have received this email in error then please delete it and notify the sender. Do not make a copy or forward it to anyone.  This footnote also confirms that this email message has been swept for the presence of computer viruses. Adaptive Mobile Security Ltd, Ferry House, 48 Lower Mount Street, Dublin 2, Ireland Directors: B. Collins, Stephen Brennan, Marcos Battisti (UK), N. Grierson (UK), J. Ennis (UK), D. Summers (UK). Registered in Ireland, Company No. 370343, VAT Reg.No.IE6390343O*****************************************
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT1lmYAAoJEDg5KY9j7GZYqsIP+wUsC1XMFFnBb5BITV52fy6v
ITPqAxrMFaTSoS0lCZG5Rv6aSyJD8SAe9QatY2aPiydNPQdq+4Ph1F/gWELqEo5J
dZvBJdQkVltvbsoDqtWKXEk4YFRwzjuhH62hCXWRL/pLA+msQK8IubXLz29oU+oR
boTgIyTz4wpyvX55GJl2RgmHc3k+4sVjVAHb1MLwYwH5QlB5OnBKyaO5BvPHVL9L
Gt9eucGsrI6j6/Or+LQVF0xBuEICSNIE1srrgdTo9++rbFgekaQOgqA8jgrAGl4a
tHCRz604IjgLjNw22CgWc5QVVqJq1REKNWPJ8ddfOobX0Ht1hvVT9JEoKZmSaYkh
L7xESMUhBNT526obRgwcKvOTm16ZYSdCeTEixJAp0svsYNhyPJ3FFz90PKhv2jii
kwhApYcDmPtbphTEyJRraKKCCOSsEYt/NfMuZrCvaGLMdGteVkPV4VQHVFmoYopD
QtF2NWUpOu7UGTxM8gKjmwVdCLwMG1ubGxSvo2UX8BmBqAybMmce5rKtdYuIH5XP
RoiALT/PFb+qZxyXCMKoQLfufE1Lz/MQnStWt2uWECDI34bjZ2xEV+X/KxCliYwi
zhfVj6E9HygcDAnNFoxBv0GS0+UmkEKVhyMDzXbbOP7o4Prke3KzcSUF6vErR+yM
OOUql2I5a+AGHZOFsMf6
=vWIJ
-----END PGP SIGNATURE-----

More information about the Users mailing list