[strongSwan] Hardware for 1gbp/s

Eric Germann ekgermann at semperen.com
Mon Apr 11 19:58:45 CEST 2016


As a random datapoint, we routinely sustain 450Mbps+ on instances in Amazon using a Centos 6.7 image on a c3.large instance type

2 cores : CPU0: Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz stepping 04

4GB of RAM

We do NAT-T which pushes it to udp/4500 and we tweaked the buffers there.

Haven’t played too much more with it because that was sufficient for us, but you can sustain almost half a gig on a lightweight instance.


> On Apr 11, 2016, at 1:34 PM, Hose <hose+strongswan at bluemaggottowel.com> wrote:
> What you say...Fred (curious_freddy at gmsl.co.uk):
>> What kind of hardware is required to maintain a point to point ipsec link
>> with 1gbp/s b/w with Strongswan at each end.
>> Are there any things/overheads to be aware of from the Strongswan side of
>> things? Performance degradation, lower throughput etc as a result of running
>> the actual crypto.
>> Fred.
> Good luck with this. Unfortunately no one seems to have any concrete
> information (asked about this previously). My testing shows that there's
> a bottleneck somewhere between 200-300mb/s most likely in the kernel
> somewhere, as throwing more cores and attempting to parallelize it
> improves nothing. Those things may help with multiple IPsec tunnels, but
> a single tunnel doesn't show any improvement.
> This was on Debian 8.3 with various kernels in there
> ranging from 3.2 to 3.16; a newer kernel may help, but that's just
> speculation.
> hose
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4030 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160411/be780e5f/attachment-0001.bin>

More information about the Users mailing list