[strongSwan] VPN Performance over WAN (jitter)

Christian Hanster christian-hanster at gmx.de
Fri May 12 14:36:00 CEST 2017


Hi Noel,

thanks for your response. 
> On 11 May 2017, at 22:38, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> 
> Hello Christian,
> 
>> Then I simulate a *varying delay* in the network cards and this seems to be the problem because when I make a ping between the two networks over vpn and internet latency is around*70ms (30ms deviation)*. The two servers have ping times around 32ms (3ms deviations). With varying delay activated the simulated throughput is only around 55MBit. My question is now if there is any *tuning possibility* in strongswan to*deal *with this *varying latency*.
> 
> You can't, because no VPN packets go through strongSwan.
Ok. So this is because strongswan is using Linux kernel for encryption and packet routing?! 

> 
>> 
>> Kind regards 
>> Christian 
>> 
>> conn RoutertoRouter
>>        keyexchange=ikev2
>>        right=192.168.100.2
>>        rightid=@test1
>>        rightsubnet=10.5.0.0/16
>>        left=192.168.100.1
>>        leftsubnet=10.4.0.0/16
>>        leftid=@test2
>>        auto=add
>>        authby=secret
>>        ikelifetime=3h
>>        keylife=600s
>>        rekeymargin=200s
>>        leftfirewall=yes
>>        mobike=no
>>        fragmentation=no
>>        keyingtries=%forever
>>        closeaction=restart
>>        dpdaction=restart
>>        esp=aes128-sha1-modp2048
>>        ike=aes128-sha1-modp2048
> 
> That conn is pretty bad.
> Use auto=route, don't set closeaction. Don't set fragmentation (it only makes things worse, if you ever disable it, because it's not used when it's not needed anyway).
> You can probably replace aes128-sha1 with aes128gcm8(-prfsha256). That is very likely faster (lower CPU load).
Ok I changed the connection to make it faster (config is added below). However I can see no change in the performance with varying delay in the network...
conn RoutertoRouter
        keyexchange=ikev2
        right=192.168.100.2
        rightid=@test2
        rightsubnet=10.5.0.0/16
        left=192.168.100.1
        leftsubnet=10.4.0.0/16
        leftid=@test1
        auto=route
        authby=secret
        ikelifetime=3h
        keylife=600s
        rekeymargin=200s
        leftfirewall=yes
        mobike=no
        keyingtries=%forever
        esp=aes128gmac-sha1-modp2048!
        ike=null-sha1-modp2048!


Kind regards
Christian 
> 
> Kind regards,
> Noel
> 
> -- 
> Noel Kuntze
> IT security consultant
> 
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170512/9cbfcd4e/attachment.html>


More information about the Users mailing list