[strongSwan] Maximizing throughput / kernel bottlenecks

Martin Willi martin at strongswan.org
Mon Apr 11 21:14:23 CEST 2016

> (one of which is quite old - running a dual core netburst
> P4 @2.8, the other two are VMs on decent hardware, all of which have no
> load) are hitting walls at 300mb/s
On a Netburst architecture you can't expect more; it does not have any 
acceleration for AES-GCM.
> but can hit 980mb/s unencrypted,
> leads me to some kind of kernel bottlneck.
Encryption is that expensive.
> The two VMs have aesni
> support, or at least the aesni extension is getting passed through the
> hypervisor to them.
AESNI is half of the story only, you'll need CLMUL instructions as well 
(pclmulqdq in /proc/cpuinfo). Try to run

   modprobe tcrypt sec=1 type=4 mode=211

and check dmesg for the benchmark results.
> Unfortunately no one seems to have any concrete
> information (asked about this previously). My testing shows that there's
> a bottleneck somewhere between 200-300mb/s most likely in the kernel
> somewhere
That's not true. Saturating Gbit links is not much of a problem with 
AESNI/CLMUL accelerated AES-GCM. Even with the AVX2-enabled 
ChaCha20Poly1305 I got 700MBit/s on a single core, without pcrypt.


More information about the Users mailing list