[strongSwan] very low performance of IKEv2 ESP, please help
kemeris
kemeris2000 at gmail.com
Fri Oct 3 13:10:40 CEST 2014
Thank you for your reply Martin,
>The esp= keyword has an implicit fallback proposal if you don't append
>an exclamation mark, refer to the ipsec.conf manpage for details.
I feel silly right now, this was my mistake as I already saw this on
manpage.
>Most likely you are actually using AES256 with SHA1-HMAC, for which
>181Mbps is in the range of what to expect.
You are absolutely right, and looks like Win8 also does not support
AES-GCM.
Anyway, with AES_CBC_128 I have quite similar results, about 205Mbps.
>If you need more throughput for these clients, you probably want to
>have
>a look at the Linux pcrypt extensions to parallelize IPsec to multiple
>cores.
Thanks, I have already saw Steffen Klassert document. At the moment I
want to get max performance from one core.
I really want to understand, what is limiting factor in this particular
case. My server can handle 600Mbps unencrypted traffic using one core,
encryption of aes-128-cbc can achieve 405MBps also with one core (at
least with OpenSSL library). Why I get only 181Mbps while core load is
only 14%.
Most important thing to me is to understand whole picture. Can you point
me to right direction for future reading?
Also, how to check what crypto library strongswan currently use. Maybe
switching to newer kernel would help, my current kernel is v2.6.32.
Thank you in advance
More information about the Users
mailing list