[strongSwan] Maximizing throughput / kernel bottlenecks

Hose hose+strongswan at bluemaggottowel.com
Thu Apr 28 19:30:38 CEST 2016

What you say...Martin Willi (martin at strongswan.org):

> >(one of which is quite old - running a dual core netburst
> >P4 @2.8, the other two are VMs on decent hardware, all of which have no
> >load) are hitting walls at 300mb/s
> On a Netburst architecture you can't expect more; it does not have any
> acceleration for AES-GCM.

Fair enough, the P4 is just a box we keep around for testing purposes.
But the other two are VMs with no resource contention on very modern
hardware, so it seems odd that between those two they cannot go over
300mb/s either; it's like a hard wall. I would expect it to maybe not
reach gigabit speeds, but go faster than the links to the P4 box.

> >but can hit 980mb/s unencrypted,
> >leads me to some kind of kernel bottlneck.
> Encryption is that expensive.
> >The two VMs have aesni
> >support, or at least the aesni extension is getting passed through the
> >hypervisor to them.
> AESNI is half of the story only, you'll need CLMUL instructions as well
> (pclmulqdq in /proc/cpuinfo). Try to run
>   modprobe tcrypt sec=1 type=4 mode=211

> and check dmesg for the benchmark results.

Is there any documentation you can refer to me on the tcrypt module and
its use in this case? I ended up blind running it and the load shot up
high enough that the VM became unresponse and needed a reset.

> >Unfortunately no one seems to have any concrete
> >information (asked about this previously). My testing shows that there's
> >a bottleneck somewhere between 200-300mb/s most likely in the kernel
> >somewhere
> That's not true. Saturating Gbit links is not much of a problem with
> AESNI/CLMUL accelerated AES-GCM. Even with the AVX2-enabled ChaCha20Poly1305
> I got 700MBit/s on a single core, without pcrypt.
> Regards
> Martin

I'll have to try the other encryption methods, as I've been sticking to
mostly Cisco/Juniper supported encryption for interoperability reasons.
But looks like I should start looking into ChaCha for better

More information about the Users mailing list