[strongSwan] IPSec and VRRP interfaces

jsullivan at opensourcedevel.com jsullivan at opensourcedevel.com
Sat Jun 6 05:49:20 CEST 2015

 Hello, all.  As we continue to battle our high speed performance issues, we
seem to have encountered yet another obstacle.  The gateways are using
keepalived to provide VRRP.  We use this in spite of running OSPF in the
GRE/IPSec tunnels because we are doing real time video editing across the link
and so need single second recovery times.

However, we are finding a huge performance degradation unrelated to software
interrupts or CPU utilization when we terminate the IPSec transport for the GRE
tunnels on the VRRP interface.  Performance and reliability jump dramatically
when we move to the physical, well, actually, bonded interface.

Does anyone have experience using StrongSWAN on VRRP interfaces and any advice
for making it work properly? Thanks - John

