[strongSwan] AWS Parallelisation

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Jun 27 21:53:53 CEST 2017


Hello Nicholas,

It doesn't depend on strongSwan, because it doesn't process any ESP, UDPENCAP or AH packets.
I consider pcrypt a bandaid at best. In my experience, it only added 1/16th performance wise. At the same time,
you can't use HA. I don't think it's worth it. What performance gains did you measure when you test locally?

KInd regards

Noel

On 26.06.2017 18:58, Nicolas Fitton wrote:
> Hi All,
> I’ve setup strongSwan on two AWS instances (London & North Virginia) and after running some tests I’ve found that parallelisation does not seem to significantly speed up the broadcast rate, here are my test specs:
>
> The test:
>
> Run iperf tests to see the bandwidth
> To make sure you’re not throttled by iperf, run with up to 10 threads (so one test with 1 thread, one test with two threads and so on).
> Run each iperf test for 60 seconds at a packet size of 1500
>
> Run this test for standard packets (no VPN), standard strongSwan (VPN from Private IP to Private IP no parallelisation) and parallel strongSwan (VPN from Private IP to Private IP with parallelisation).
>
> Parallelisation is induced with crconf as described in the strongSwan parallelisation page (modprobe crypt and then crconf add driver "pcrypt(authenc(hmac(sha256),cbc(aes)))" type 3).
>
>
> Run these tests for two sizes of instances (by this I mean run tests between two of the same size):
>
>  1. t2.medium (2 cores)
>  2. c4.8xlarge (36 cores)
>
>
> The results were then logged in this spreadsheet: https://docs.google.com/spreadsheets/d/1bgLkkzabw93hUK86gRdWqHfxn0YaE5S2l6DW36VaO3o/edit?usp=sharing
>
> As you can see from the spreadsheet, there seems to be no reason to use parallel strongSwan on AWS servers, is this an issue with AWS (as when I’ve run these tests locally parallelisation is significantly faster) or is it a problem with the version of strongSwan I’m using (strongSwan U5.5.2/K4.4.0-1020-aws)
>
> Any advice is greatly appreciated and I’m happy to add extra information to this thread tomorrow (I’m on BST).
>
> Kind Regards
> Nicholas Fitton

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170627/39540459/attachment.sig>


More information about the Users mailing list