[strongSwan] Problem with pcrypt
anders at anduras.de
Fri Sep 15 20:15:12 CEST 2017
Am 15.09.2017 um 19:27 schrieb Noel Kuntze:
> I guess ksoftirqd is rotating and kworker, too? If that's the case, you're suffering from
> an extremely disadvantageous distribution of ESP packets.
Hmmm. I did not see all CPUs are saturated. Only two CPUs are under load and the soft-irqs are
under 5%. kworker is under 5% too.
> You need to set the number of RX and TX queues on the card to the number of cores and
> use RSS to distribute the SAs correctly over all queues. Bind one RX and one TX queue to one core each.
What tool to I use for this?
> Then use AES based ciphers, so you can use AES-NI. You can then get line speed per CHILD_SA.
> Pcrypt has some overhead due to synchronisation, so if your setup's performance problem is not caused
> by cipher execution time, pcrypt will not improve the situation.
What bothers me is, that the throughput is decreasing. I can accept the due to synchronisation the
throughput is not increasing, but decreasing?
> Use aes128gcm8. aes256gcm16 causes unnecessary overhead and costs more performance.
Which ciphers do you suggest/recommend?
Do you know a working configuration that I can use as a reference?
> Disabling replay protection does not improve performance.
Ok, I did read about this in some posting, so I tried this too.
Sven Anders <anders at anduras.de> () UTF-8 Ribbon Campaign
/\ Support plain text e-mail
ANDURAS intranet security AG
Messestrasse 3 - 94036 Passau - Germany
Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 339 bytes
Desc: not available
More information about the Users