[strongSwan] VPN Performance over WAN (jitter)

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu May 11 22:38:03 CEST 2017

Hello Christian,

> Then I simulate a *varying delay* in the network cards and this seems to be the problem because when I make a ping between the two networks over vpn and internet latency is around*70ms (30ms deviation)*. The two servers have ping times around 32ms (3ms deviations). With varying delay activated the simulated throughput is only around 55MBit. My question is now if there is any *tuning possibility* in strongswan to*deal *with this *varying latency*.

You can't, because no VPN packets go through strongSwan.

> Kind regards 
> Christian 
> conn RoutertoRouter
>         keyexchange=ikev2
>         right=
>         rightid=@test1
>         rightsubnet=
>         left=
>         leftsubnet=
>         leftid=@test2
>         auto=add
>         authby=secret
>         ikelifetime=3h
>         keylife=600s
>         rekeymargin=200s
>         leftfirewall=yes
>         mobike=no
>         fragmentation=no
>         keyingtries=%forever
>         closeaction=restart
>         dpdaction=restart
>         esp=aes128-sha1-modp2048
>         ike=aes128-sha1-modp2048

That conn is pretty bad.
Use auto=route, don't set closeaction. Don't set fragmentation (it only makes things worse, if you ever disable it, because it's not used when it's not needed anyway).
You can probably replace aes128-sha1 with aes128gcm8(-prfsha256). That is very likely faster (lower CPU load).

Kind regards,

Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170511/377b017d/attachment.sig>

More information about the Users mailing list