[strongSwan] Problem with AES-NI parallelization

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Oct 18 23:48:41 CEST 2017


Hi,

The algorithms strongSwan supports for IKE do not correlate at all to the algorithms the kernel supports. Traffic is handled by the kernel, not by charon.
"Just"  bind the RX queue of the NIC to one core. Assuming AES-NI is used at all, you will get line speed. On my ancient i7-3820 at 2.6GHz, I got 1.5GBit/s throughput over Ethernet. I figure that's enough.

You only get bad performance if the Kernel/the CPU is busy moving the skbs in the Kernel between different cores. If your NIC supports RSS and its siblings, you can make use of that to distribute the load of different SAs.

I haven't yet found any way to change the priority of the algorithms in the Kernel.

Kind regards

Noel

On 17.10.2017 16:44, Betz, Manuel wrote:
>
> Hello everyone,
>
>  
>
> as written in the subject, we have some problem to enable the parallelization described in the wiki: https://wiki.strongswan.org/projects/strongswan/wiki/Pcrypt
>
>  
>
> Our setup:
>
> One Ubuntu 16.04.3 LTS in Germany, one Ubuntu 16.04.3 LTS in Spain. Both are used to route certain hosts on every side via this line. The line itself is a dedicated 1Gbit Layer 2 connection. For security reasons, we like to encrypt all traffic between those servers, using Strongswan.
>
>  
>
> I installed the Strongswan packet provided by Ubuntu. Tunnel is running fine, max throughput so far was around 800Mbit. To use the full capacity of the line, we wanted to use the pcrypt feature.
>
>  
>
> I tried tcrypt and crconf. Crconf isn’t working at all, but tcrypt works. Unfortunately my output is different compared to the wiki:
>
>  
>
> root at iblsrv:# modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes-aesni)))" type=3
>
> modprobe: ERROR: could not insert 'tcrypt': Unknown symbol in module, or unknown parameter (see dmesg)
>
>  
>
> but dmesg only shows the following error: "tcrypt: one or more tests failed!"
>
>  
>
> module is loaded though:
>
> root at iblsrv:# lsmod | grep pcrypt
>
> pcrypt
>
>  
>
> I noticed there is no aes-ni plugin in the Ubuntu version of the packet:
>
>  
>
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-96-generic, x86_64):
>
>   uptime: 5 days, since Oct 12 11:42:24 2017
>
>   malloc: sbrk 2543616, mmap 0, used 392416, free 2151200
>
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
>
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
>
>  
>
> Nevertheless, “cat “ lists a new entry at the very top, but it has a lower priority than some other entries (highest value in the list: 4000). Therefore it isn’t used:
>
>  
>
> root at iblsrv: # cat /proc/crypto
>
> name         : rfc4106(gcm(aes-aesni))
>
> driver       : pcrypt(pcrypt(rfc4106(gcm_base(ctr(aes-aesni),ghash-clmulni))))
>
> module       : pcrypt
>
> priority     : 550
>
> refcnt       : 1
>
> selftest     : passed
>
> internal     : no
>
> type         : aead
>
> async        : yes
>
> blocksize    : 1
>
> ivsize       : 8
>
> maxauthsize  : 16
>
> geniv        : <none>
>
>  
>
> There are no errors from Charon in syslog.
>
>  
>
> My ipsec.conf from one side:
>
>  
>
> config setup
>
>         charondebug="4"
>
>         uniqueids=yes
>
>         strictcrlpolicy=no
>
>  
>
> conn host-to-host
>
>     ikelifetime=60m
>
>     keylife=20m
>
>     rekeymargin=3m
>
>     keyingtries=1
>
>     dpdaction=restart
>
>  
>
> conn trap-any
>
>     also=host-to-host
>
>     right=192.168.250.230
>
>     leftsubnet=0.0.0.0/0
>
>     rightsubnet=172.22.1.28/32, 172.22.1.36/32
>
>     type=tunnel
>
>     authby=secret
>
>     auto=route
>
>     mark=42
>
>  
>
> ipsec statusall:
>
>  
>
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-96-generic, x86_64):
>
>   uptime: 5 days, since Oct 12 11:42:24 2017
>
>   malloc: sbrk 2543616, mmap 0, used 392240, free 2151376
>
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
>
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
>
> Listening IP addresses:
>
>   192.168.250.234
>
>   192.168.250.229
>
> Connections:
>
>     trap-any:  %any...192.168.250.230  IKEv1/2, dpddelay=30s
>
>     trap-any:   local:  uses pre-shared key authentication
>
>     trap-any:   remote: [192.168.250.230] uses pre-shared key authentication
>
>     trap-any:   child:  0.0.0.0/0 === 172.22.1.28/32 172.22.1.36/32 TUNNEL, dpdaction=restart
>
> Routed Connections:
>
>     trap-any{1}:  ROUTED, TUNNEL, reqid 1
>
>     trap-any{1}:   0.0.0.0/0 === 172.22.1.28/32 172.22.1.36/32
>
> Security Associations (1 up, 0 connecting):
>
>     trap-any[240]: ESTABLISHED 6 minutes ago, 192.168.250.229[192.168.250.229]...192.168.250.230[192.168.250.230]
>
>     trap-any[240]: IKEv2 SPIs: 9bcf3c62125c333d_i* 51ac15c32eac7ea6_r, pre-shared key reauthentication in 46 minutes
>
>     trap-any[240]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>
>     trap-any{751}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc9137a9_i c913b9b8_o
>
>     trap-any{751}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 9s ago), 0 bytes_o, rekeying in 8 minutes
>
>     trap-any{751}:   10.200.1.50/32 10.200.1.70/32 === 172.22.1.28/32 172.22.1.36/32
>
>     trap-any{752}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf0bce0d_i c4f1515b_o
>
>     trap-any{752}:  AES_CBC_128/HMAC_SHA1_96, 36036 bytes_i (169 pkts, 2s ago), 41722 bytes_o (205 pkts, 2s ago), rekeying in 9 minutes
>
>     trap-any{752}:   10.200.1.50/32 10.200.1.70/32 === 172.22.1.28/32 172.22.1.36/32
>
>  
>
> Any hints to solve the issue are very much appreciated!
>
>  
>
> Cheers Manuel
>
> *Manuel Betz*/
> Group IT Infrastructure - Network 
> /_______________________________________
>
> *GFT Technologies SE
> *Schelmenwasenstr. 34
> 70567 Stuttgart, Deutschland
>
> T +49 711 62042-117
> F +49 711 62042-101
> Manuel.Betz at gft.com
> www.gft.com <http://www.gft.com/de>/de
> http://blog.gft.com/de
> www.twitter.com/gft_de <http://www.twitter.com/gft_de>
>
> Geschäftsführende Direktoren: 
> Marika Lulay (CEO), Dr. Jochen Ruetz (CFO)
> Vorsitzender des Verwaltungsrats: Ulrich Dietz
> Registergericht: Amtsgericht Stuttgart, HRB 753709
> Sitz der Gesellschaft: Stuttgart
> _______________________________________
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171018/8b345f03/attachment.sig>


More information about the Users mailing list