[strongSwan] Throughput on high BDP networks
jsullivan at opensourcedevel.com
jsullivan at opensourcedevel.com
Mon Jun 1 15:51:46 CEST 2015
> On May 31, 2015 at 8:06 AM Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello John,
>
> Maybe the pcrypt module has some hidden dependencies to
> other crypto or xfrm modules. Try figuring out what modules
> are loaded when the tunnel is up and load them before the pcrypt module.
>
> I don't know a working solution to the problem, that the performance is still
> very poor.
> I know, that the reason for the limited parallelization performance is
> the replay protection of ipsec, so maybe the performance increases,
> when you disable that?
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
Hmm . . . that's worth trying but how does one disable replay detection? I tried
setting charon.replay_window = 0 but ip xfrm state shows the window size as 32.
I then tried to set it directly in xfrm:
ip xfrm state update src x.x.x.x dst y.y.y.y proto esp spi 0xc70b4956 aead
rfc4106\(gcm\(aes\)\) 0x6a5f95a4b971df7525091307eed0e0e79d7f0bac 64
replay-window 0
but it stubbornly stays at 32. Thanks - John
<snip>
More information about the Users
mailing list