[strongSwan] very low performance of IKEv2 ESP, please help

kemeris kemeris2000 at gmail.com
Fri Oct 3 10:24:16 CEST 2014 

Hi all,

I am totally new to linux and strongswan, but after countless hours of 
reading mailing lists and forums, I have working strongswan 5.2.0 with 
radius and RSA certficates auth for a variety of devices. Currently I am 
stuck with performance problem (iperf) throw IPSec tunnel from notebook 
(win8) to server, which are connected throw switch.

My server is dual CPU (Xeon E5-2620v2 with AES-NI support) / 6x2 cores 
(HyperThreading dissabled) / Intel 1Gbps NIC / CentOS v6.5.


Without IPSec I get 640Mbits, cpu load is 18% (one core). Speed quite 
low, I suspect its because of switch. Will try with crossover cable 
later.
------------------------------------------------------------
Client connecting to 10.20.0.1, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[  3] local 10.0.0.11 port 54248 connected with 10.20.0.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   767 MBytes   643 Mbits/sec


With IPSec I get only 181Mbps, cpu load is 14%
------------------------------------------------------------
Client connecting to 10.20.0.1, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[  3] local 10.20.0.3 port 54513 connected with 10.20.0.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   216 MBytes   181 Mbits/sec

I am really stuck here, any ideas what could be wrong? I would 
appreciate any help


Here is openssl speed test for aes-128-gcm, which shows 506MBps speed:
------------------------------------------------------------
[root at s1 /]# openssl speed -evp aes-128-gcm
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 
bytes
aes-128-gcm     205988.85k   506637.18k   654777.26k   708192.94k   
727229.15k

My ipsec.conf:
------------------------------------------------------------
conn %default
     auto=add
     forceencaps=yes
     compress=yes
     keyexchange=ike
     ikelifetime=3h
     lifetime=1h
     rekeymargin=3m
     margintime=9m
     left=%defaultroute
     leftsubnet=0.0.0.0/0
     leftauth=pubkey
     leftcert=server-10.0.0.3.crt
     leftfirewall=no
     right=%any
     rightsourceip=10.20.0.2/16
     rightdns=212.59.1.1

conn win7_EAP
     keyexchange=ikev2
     ike=aes128gcm8-sha256-modp1024
     esp=aes128gcm8-sha256-modp1024
     dpdaction=clear
     dpddelay=300s
     rekey=no
     rightauth=eap-mschapv2
     rightsendcert=never
     eap_identity=%any
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141003/edc3a9ec/attachment-0001.html>

More information about the Users mailing list