[strongSwan] Throughput on high BDP networks

jsullivan at opensourcedevel.com jsullivan at opensourcedevel.com
Mon Jun 1 15:51:46 CEST 2015


> On May 31, 2015 at 8:06 AM Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello John,
>
> Maybe the pcrypt module has some hidden dependencies to
> other crypto or xfrm modules. Try figuring out what modules
> are loaded when the tunnel is up and load them before the pcrypt module.
>
> I don't know a working solution to the problem, that the performance is still
> very poor.
> I know, that the reason for the limited parallelization performance is
> the replay protection of ipsec, so maybe the performance increases,
> when you disable that?
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
Hmm . . . that's worth trying but how does one disable replay detection? I tried
setting charon.replay_window = 0 but ip xfrm state shows the window size as 32.
 I then tried to set it directly in xfrm:

ip xfrm state update src x.x.x.x dst y.y.y.y proto esp spi 0xc70b4956 aead
rfc4106\(gcm\(aes\)\) 0x6a5f95a4b971df7525091307eed0e0e79d7f0bac 64
replay-window 0

but it stubbornly stays at 32.  Thanks - John

<snip>


More information about the Users mailing list