[strongSwan] Tuning a Site-to-Site Link using Strongswan and Centos 7

[Eric Germann]

All,

I’m working with Strongswan 5.3.2 on Centos 7.1 (also 6.6).

This is a totally greenfield implementation so I have some latitude as we control both ends of the link (and both will be running Strongswan).

I’m working with pcrypt and have successfully implemented it.

As the instances are running in Amazon AWS, we’ll need to run NAT-T.

I’m looking for others experiences in tuning /etc/sysctl.conf for a high-volume S2S router over NAT-T.  Bandwidth between sites is effectively unlimited but ~ 1-2Gbps based on instance type we’re running.

I’m doing some tweaking of UDP parameters and gaining some ground.  I wondered others thoughts on whether any of the TCP parameters need tuned on the routers?  Traffic will be predominantly TCP but there will be some UDP mixed in there too.  Lots of file transfer traffic via SMB and FTP.

Looking at AES-GCM for efficiency and AES-NI is supported by their processors.  Right now we’re seeing about 350-400Mbps throughput on instances with 4 cores and 8GB of RAM (iperf3)

/etc/sysctl.conf so far has UDP at

net.ipv4.udp_mem        = 262144 873800 16777216
net.ipv4.udp_rmem_min   = 262144
net.ipv4.udp_wmem_min   = 262144


Traffic seems to be bursty.  We’ll see high throughput, then fall off, then recover.

Thoughts appreciated on parameters or where to look for any issues and thanks in advance

EKG

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150623/28a4c3d1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150623/28a4c3d1/attachment.pgp>