[strongSwan] ipsec tunnel throughput measurement

Marco Berizzi pupilla at hotmail.com
Mon Mar 12 17:14:58 CET 2018 

Hello everyone,

I have completed some speed test between two slackware linux
4.14 system running strongswan. The purpose is to estimate
the network throughput inside an ipsec tunnel. Strongswan will
not affect results, but I hope this message will be still
informative for users subscribed to this list.

Here is the network schema:

+--------+     +--------+                  +--------+
| linux  |     | linux  |                  | linux  |
| iperf  +-----+ ipsec  +---ipsec tunnel---+ ipsec  +---dummy0 interface
| client |     | gateway|                  | gateway|   linux iperf server
+--------+     +--------+                  +--------+

MTU=1500bytes for all systems
The two ipsec gateway are running on Intel i5-3470 at 3.20GHz
AES-NI extension are enabled on this processor and the
kernel is built with them enabled as externals modules.
NIC models on the ipsec gateways are Intel Corporation I350
and Intel Corporation 82579LM

The following esp configuration where tested:

aes256-sha384-modp4096
camellia256-sha384-modp4096
camellia128-sha384-modp4096
chacha20poly1305-ntru256
3des-sha384

with the following tcp mss: 200 bytes, 500 bytes, 1000 bytes
and the maximum permitted by the ipsec tunnel.

And here are the results. Summary: chacha20 is the winner
followed by aes256 and camellia128.

maximum MSS:

throughput without any tunnel ipsec (only routing):
0.00-10.00  sec  1.09 GBytes   933 Mbits/sec            sender
0.00-10.04  sec  1.09 GBytes   929 Mbits/sec            receiver

chacha20poly1305
0.00-10.00  sec  1.06 GBytes   908 Mbits/sec            sender
0.00-10.05  sec  1.05 GBytes   901 Mbits/sec            receiver

aes256-sha384
0.00-10.00  sec  1.04 GBytes   896 Mbits/sec            sender
0.00-10.05  sec  1.04 GBytes   889 Mbits/sec            receiver

camellia128-sha384
0.00-10.00  sec   949 MBytes   796 Mbits/sec            sender
0.00-10.04  sec   947 MBytes   791 Mbits/sec            receiver

camellia256-sha384
0.00-10.00  sec   805 MBytes   676 Mbits/sec            sender
0.00-10.05  sec   804 MBytes   671 Mbits/sec            receiver

3des-sha384
0.00-10.00  sec   280 MBytes   235 Mbits/sec            sender
0.00-10.05  sec   279 MBytes   233 Mbits/sec            receiver


1000 bytes MSS:

throughput without any tunnel ipsec (only routing):
0.00-10.00  sec  1.06 GBytes   912 Mbits/sec            sender
0.00-10.04  sec  1.06 GBytes   907 Mbits/sec            receiver

chacha20poly1305
0.00-10.00  sec  1.02 GBytes   874 Mbits/sec            sender
0.00-10.05  sec  1.01 GBytes   867 Mbits/sec            receiver

aes256-sha384
0.00-10.00  sec  1016 MBytes   852 Mbits/sec            sender
0.00-10.05  sec  1013 MBytes   846 Mbits/sec            receiver

camellia128-sha384
0.00-10.00  sec   861 MBytes   723 Mbits/sec            sender
0.00-10.04  sec   859 MBytes   718 Mbits/sec            receiver

camellia256-sha384
0.00-10.00  sec   735 MBytes   617 Mbits/sec            sender
0.00-10.04  sec   733 MBytes   612 Mbits/sec            receiver

3des-sha384
0.00-10.00  sec   264 MBytes   221 Mbits/sec            sender
0.00-10.05  sec   262 MBytes   219 Mbits/sec            receiver


500 bytes MSS:

throughput without any tunnel ipsec (only routing):
0.00-10.00  sec   992 MBytes   832 Mbits/sec            sender
0.00-10.04  sec   990 MBytes   827 Mbits/sec            receiver

chacha20poly1305
0.00-10.00  sec   920 MBytes   772 Mbits/sec            sender
0.00-10.05  sec   918 MBytes   766 Mbits/sec            receiver

aes256-sha384
0.00-10.00  sec   879 MBytes   738 Mbits/sec            sender
0.00-10.04  sec   877 MBytes   732 Mbits/sec            receiver

camellia128-sha384
0.00-10.00  sec   684 MBytes   574 Mbits/sec            sender
0.00-10.04  sec   681 MBytes   569 Mbits/sec            receiver

camellia256-sha384
0.00-10.00  sec   593 MBytes   498 Mbits/sec            sender
0.00-10.04  sec   591 MBytes   493 Mbits/sec            receiver

3des-sha384
0.00-10.00  sec   231 MBytes   194 Mbits/sec            sender
0.00-10.05  sec   229 MBytes   191 Mbits/sec            receiver


200 bytes MSS:

throughput without any tunnel ipsec (only routing):
0.00-10.00  sec   795 MBytes   667 Mbits/sec            sender
0.00-10.04  sec   792 MBytes   662 Mbits/sec            receiver

chacha20poly1305
0.00-10.00  sec   549 MBytes   460 Mbits/sec            sender
0.00-10.04  sec   546 MBytes   456 Mbits/sec            receiver

aes256-sha384
0.00-10.00  sec   499 MBytes   418 Mbits/sec            sender
0.00-10.04  sec   496 MBytes   414 Mbits/sec            receiver

camellia128-sha384
0.00-10.00  sec   403 MBytes   338 Mbits/sec            sender
0.00-10.04  sec   399 MBytes   333 Mbits/sec            receiver

camellia256-sha384
0.00-10.00  sec   362 MBytes   303 Mbits/sec            sender
0.00-10.04  sec   359 MBytes   300 Mbits/sec            receiver

3des-sha384
0.00-10.00  sec   177 MBytes   148 Mbits/sec            sender
0.00-10.04  sec   173 MBytes   145 Mbits/sec            receiver

More information about the Users mailing list