[strongSwan] Problem with pcrypt

Sven Anders anders at anduras.de
Fri Sep 15 20:15:12 CEST 2017 

Am 15.09.2017 um 19:27 schrieb Noel Kuntze:
> Hi,
> 
> I guess ksoftirqd is rotating and kworker, too? If that's the case, you're suffering from
> an extremely disadvantageous distribution of ESP packets.

Hmmm. I did not see all CPUs are saturated. Only two CPUs are under load and the soft-irqs are
under 5%. kworker is under 5% too.

> You need to set the number of RX and TX queues on the card to the number of cores and
> use RSS to distribute the SAs correctly over all queues. Bind one RX and one TX queue to one core each.

What tool to I use for this?

>  Then use AES based ciphers, so you can use AES-NI. You can then get line speed per CHILD_SA.
> 
> Pcrypt has some overhead due to synchronisation, so if your setup's performance problem is not caused
> by cipher execution time, pcrypt will not improve the situation.

What bothers me is, that the throughput is decreasing. I can accept the due to synchronisation the
throughput is not increasing, but decreasing?

> Use aes128gcm8. aes256gcm16 causes unnecessary overhead and costs more performance.

Which ciphers do you suggest/recommend?
Do you know a working configuration that I can use as a reference?

> Disabling replay protection does not improve performance.

Ok, I did read about this in some posting, so I tried this too.


Regards
 Sven Anders

-- 
 Sven Anders <anders at anduras.de>                 () UTF-8 Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS intranet security AG
 Messestrasse 3 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
  - Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: anders.vcf
Type: text/x-vcard
Size: 339 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170915/aaddb6a8/attachment.vcf>

More information about the Users mailing list