[strongSwan] very low performance of IKEv2 ESP, please help

Martin Willi martin at strongswan.org
Fri Oct 3 11:28:35 CEST 2014


> Currently I am stuck with performance problem (iperf) throw IPSec
> tunnel from notebook (win8) to server, which are connected throw
> switch.

> With IPSec I get only 181Mbps, cpu load is 14%

> Here is openssl speed test for aes-128-gcm, which shows 506MBps speed:

>      esp=aes128gcm8-sha256-modp1024

AFAIK at least on Windows 7 the Agile VPN Client does not support
AES-GCM. Check "ipsec statusall" for the actually negotiated proposals.

The esp= keyword has an implicit fallback proposal if you don't append
an exclamation mark, refer to the ipsec.conf manpage for details.

Most likely you are actually using AES256 with SHA1-HMAC, for which
181Mbps is in the range of what to expect.

If you need more throughput for these clients, you probably want to have
a look at the Linux pcrypt extensions to parallelize IPsec to multiple


More information about the Users mailing list