[strongSwan] IPsec performance figures

Martin Willi martin at strongswan.org
Thu May 4 08:45:55 CEST 2017


> are there any reliable performance figures for IPsec throughput on
> x86_64 Linux machines?

Nothing I could reference here.

> Is 10 GBit/s feasable? If yes, how?

On commodity hardware, maybe, but only if/when:

 * using AES-GCM with AESNI/CLMUL, which can handle ~1Gbit/s/core
 * your NIC can separate traffic to multiple queues (8+), and each
   queue has assigned a core to process its traffic
 * you have multiple SAs and flows, so the flows can actually be
   separated to queues (and cores) in both directions.

If you can't effectively distribute traffic over NIC queues, you should
consider using pcrypt. Not sure if 10Gbit/s are possible, though.


More information about the Users mailing list