[strongSwan] Fwd: Re: Maximizing throughput / kernel bottlenecks

Noel Kuntze noel at familie-kuntze.de
Wed Mar 16 23:40:04 CET 2016

Forgot to address the list. Sorry. My email to Hose is starting below.

-------- Forwarded Message --------
Subject: 	Re: [strongSwan] Maximizing throughput / kernel bottlenecks
Date: 	Wed, 16 Mar 2016 23:22:25 +0100
From: 	Noel Kuntze <noel at familie-kuntze.de>
To: 	Hose <hose+strongswan at bluemaggottowel.com>

Hello Hose,

> To keep crypto overhead down the IPsec tunnels are constructed in
> transport mode with aes128/sha1 for IKE and aes128/md5 for IPsec;
aes128-sha1 and aes128-md5 are not really the optimum.
Try to use aesgcm with any key length (lower key lengths are obviously faster).
There's mysterious packet loss going on in certain configurations.
Make sure you don't experience it (issue #1220).

> On machines
> connected via gig-e I'm getting between 150 - 200 mb/s on average over
> the tunnels (900+ mb/s unencrypted). One of those machines also has a
> tunnel over to my home via a consumer internet connection (10mb up, 50mb
> down) but I'm getting relatively slow speeds: ~20mb/s through the
> tunnel. It pushes the max speed of 50mb/s to the same host when
> unencrypted.. 
Don't rely on a consumer connection for testing and benchmarking.
ISPs do QoS. Test on a direct gigabit link between the boxes. Only then you will
get reliably benchmark results. Also make sure your kernel uses optimized crypto drivers.
Google will help you.

> The only thing I haven't done is migrate over to IKEv2 
> which is on the roadmap but haven't implemented yet due to some legacy 
> requirements, however I can't imagine that would actually effect 
> throughput as that seems to be a kernel bottleneck.
That wouldn't influence the rate anyway, because the kernel doesn't
know about IKE.

There are performance improvements coming in any of the next kernel versions,
which have been announced on the Netdev 1.1 conference in Seville in February.
They will introduce a lot of changes, which will improve performance.
The changes will improve performance nearly twofold.
A video of the specific talk is on Youtube (https://www.youtube.com/watch?v=JSbU5YE8Hc0).
The performance numbers are starting to be shown at 26:00.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160316/f8031baa/attachment.pgp>

More information about the Users mailing list