[strongSwan] VPN Performance over WAN (jitter)

[Noel Kuntze]

Hello Christian,

> Then I simulate a *varying delay* in the network cards and this seems to be the problem because when I make a ping between the two networks over vpn and internet latency is around*70ms (30ms deviation)*. The two servers have ping times around 32ms (3ms deviations). With varying delay activated the simulated throughput is only around 55MBit. My question is now if there is any *tuning possibility* in strongswan to*deal *with this *varying latency*.

You can't, because no VPN packets go through strongSwan.

>
> Kind regards 
> Christian 
>
> conn RoutertoRouter
>         keyexchange=ikev2
>         right=192.168.100.2
>         rightid=@test1
>         rightsubnet=10.5.0.0/16
>         left=192.168.100.1
>         leftsubnet=10.4.0.0/16
>         leftid=@test2
>         auto=add
>         authby=secret
>         ikelifetime=3h
>         keylife=600s
>         rekeymargin=200s
>         leftfirewall=yes
>         mobike=no
>         fragmentation=no
>         keyingtries=%forever
>         closeaction=restart
>         dpdaction=restart
>         esp=aes128-sha1-modp2048
>         ike=aes128-sha1-modp2048

That conn is pretty bad.
Use auto=route, don't set closeaction. Don't set fragmentation (it only makes things worse, if you ever disable it, because it's not used when it's not needed anyway).
You can probably replace aes128-sha1 with aes128gcm8(-prfsha256). That is very likely faster (lower CPU load).

Kind regards,
Noel

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170511/377b017d/attachment.sig>