[strongSwan] VPN Performance over WAN (jitter)

[Christian Hanster]

Hi all,

at the moment I’m trying to optimize the network performance in a site-to-site setup (see config below). The connection is structured as follows 

<network A> <—> VPN-Router A <—> Internet (WAN) <—> VPN-Router B <—> <network b>

The problem is that the network performance between networks a and b is only around 45 MBit (iperf tcp test) although the WAN connection has nearly 100MBit. So I monitored the network interfaces of the routers and what I could see was that there are only flowing around 48 MBit. To test if it is a performance problem of the routers, I then connected the routers directly (through lan) with each other and limited the network card to 100 MBit. Then the VPN-performance is around 94 MBit. So the router performance is not the problem.

Then I simulate a varying delay in the network cards and this seems to be the problem because when I make a ping between the two networks over vpn and internet latency is around 70ms (30ms deviation). The two servers have ping times around 32ms (3ms deviations). With varying delay activated the simulated throughput is only around 55MBit. My question is now if there is any tuning possibility in strongswan to deal with this varying latency. 

Kind regards 
Christian 

conn RoutertoRouter
        keyexchange=ikev2
        right=192.168.100.2
        rightid=@test1
        rightsubnet=10.5.0.0/16
        left=192.168.100.1
        leftsubnet=10.4.0.0/16
        leftid=@test2
        auto=add
        authby=secret
        ikelifetime=3h
        keylife=600s
        rekeymargin=200s
        leftfirewall=yes
        mobike=no
        fragmentation=no
        keyingtries=%forever
        closeaction=restart
        dpdaction=restart
        esp=aes128-sha1-modp2048
        ike=aes128-sha1-modp2048
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170511/6267b1a5/attachment.html>