[strongSwan] very low performance of IKEv2 ESP, please help

kemeris kemeris2000 at gmail.com
Fri Oct 3 13:10:40 CEST 2014

  Thank you for your reply Martin,

>The esp= keyword has an implicit fallback proposal if you don't append
>an exclamation mark, refer to the ipsec.conf manpage for details.
I feel silly right now, this was my mistake as I already saw this on 

>Most likely you are actually using AES256 with SHA1-HMAC, for which
>181Mbps is in the range of what to expect.
You are absolutely right, and looks like Win8 also does not support 
Anyway, with AES_CBC_128 I have quite similar results, about 205Mbps.

>If you need more throughput for these clients, you probably want to 
>a look at the Linux pcrypt extensions to parallelize IPsec to multiple
Thanks, I have already saw Steffen Klassert document. At the moment I 
want to get max performance from one core.

I really want to understand, what is limiting factor in this particular 
case. My server can handle 600Mbps unencrypted traffic using one core, 
encryption of aes-128-cbc can achieve 405MBps also with one core (at 
least with OpenSSL library). Why I get only 181Mbps while core load is 
only 14%.

Most important thing to me is to understand whole picture. Can you point 
me to right direction for future reading?
Also, how to check what crypto library strongswan currently use. Maybe 
switching to newer kernel would help, my current kernel is v2.6.32.

Thank you in advance

More information about the Users mailing list