[strongSwan] ipsec tunnel throughput measurement

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Mar 13 14:25:39 CET 2018 

Hi,

That is not really surprising, considering the overhead the block cipher, hmac and additional headers contribute.
If your CPU isn't maxed out yet, you can get even higher speeds. You need one CHILD_SA per CPU core to take advantage of them.

Kind regards

Noel

On 12.03.2018 17:14, Marco Berizzi wrote:
> Hello everyone,
>
> I have completed some speed test between two slackware linux
> 4.14 system running strongswan. The purpose is to estimate
> the network throughput inside an ipsec tunnel. Strongswan will
> not affect results, but I hope this message will be still
> informative for users subscribed to this list.
>
> Here is the network schema:
>
> +--------+     +--------+                  +--------+
> | linux  |     | linux  |                  | linux  |
> | iperf  +-----+ ipsec  +---ipsec tunnel---+ ipsec  +---dummy0 interface
> | client |     | gateway|                  | gateway|   linux iperf server
> +--------+     +--------+                  +--------+
>
> MTU=1500bytes for all systems
> The two ipsec gateway are running on Intel i5-3470 at 3.20GHz
> AES-NI extension are enabled on this processor and the
> kernel is built with them enabled as externals modules.
> NIC models on the ipsec gateways are Intel Corporation I350
> and Intel Corporation 82579LM
>
> The following esp configuration where tested:
>
> aes256-sha384-modp4096
> camellia256-sha384-modp4096
> camellia128-sha384-modp4096
> chacha20poly1305-ntru256
> 3des-sha384
>
> with the following tcp mss: 200 bytes, 500 bytes, 1000 bytes
> and the maximum permitted by the ipsec tunnel.
>
> And here are the results. Summary: chacha20 is the winner
> followed by aes256 and camellia128.
>
> maximum MSS:
>
> throughput without any tunnel ipsec (only routing):
> 0.00-10.00  sec  1.09 GBytes   933 Mbits/sec            sender
> 0.00-10.04  sec  1.09 GBytes   929 Mbits/sec            receiver
>
> chacha20poly1305
> 0.00-10.00  sec  1.06 GBytes   908 Mbits/sec            sender
> 0.00-10.05  sec  1.05 GBytes   901 Mbits/sec            receiver
>
> aes256-sha384
> 0.00-10.00  sec  1.04 GBytes   896 Mbits/sec            sender
> 0.00-10.05  sec  1.04 GBytes   889 Mbits/sec            receiver
>
> camellia128-sha384
> 0.00-10.00  sec   949 MBytes   796 Mbits/sec            sender
> 0.00-10.04  sec   947 MBytes   791 Mbits/sec            receiver
>
> camellia256-sha384
> 0.00-10.00  sec   805 MBytes   676 Mbits/sec            sender
> 0.00-10.05  sec   804 MBytes   671 Mbits/sec            receiver
>
> 3des-sha384
> 0.00-10.00  sec   280 MBytes   235 Mbits/sec            sender
> 0.00-10.05  sec   279 MBytes   233 Mbits/sec            receiver
>
>
> 1000 bytes MSS:
>
> throughput without any tunnel ipsec (only routing):
> 0.00-10.00  sec  1.06 GBytes   912 Mbits/sec            sender
> 0.00-10.04  sec  1.06 GBytes   907 Mbits/sec            receiver
>
> chacha20poly1305
> 0.00-10.00  sec  1.02 GBytes   874 Mbits/sec            sender
> 0.00-10.05  sec  1.01 GBytes   867 Mbits/sec            receiver
>
> aes256-sha384
> 0.00-10.00  sec  1016 MBytes   852 Mbits/sec            sender
> 0.00-10.05  sec  1013 MBytes   846 Mbits/sec            receiver
>
> camellia128-sha384
> 0.00-10.00  sec   861 MBytes   723 Mbits/sec            sender
> 0.00-10.04  sec   859 MBytes   718 Mbits/sec            receiver
>
> camellia256-sha384
> 0.00-10.00  sec   735 MBytes   617 Mbits/sec            sender
> 0.00-10.04  sec   733 MBytes   612 Mbits/sec            receiver
>
> 3des-sha384
> 0.00-10.00  sec   264 MBytes   221 Mbits/sec            sender
> 0.00-10.05  sec   262 MBytes   219 Mbits/sec            receiver
>
>
> 500 bytes MSS:
>
> throughput without any tunnel ipsec (only routing):
> 0.00-10.00  sec   992 MBytes   832 Mbits/sec            sender
> 0.00-10.04  sec   990 MBytes   827 Mbits/sec            receiver
>
> chacha20poly1305
> 0.00-10.00  sec   920 MBytes   772 Mbits/sec            sender
> 0.00-10.05  sec   918 MBytes   766 Mbits/sec            receiver
>
> aes256-sha384
> 0.00-10.00  sec   879 MBytes   738 Mbits/sec            sender
> 0.00-10.04  sec   877 MBytes   732 Mbits/sec            receiver
>
> camellia128-sha384
> 0.00-10.00  sec   684 MBytes   574 Mbits/sec            sender
> 0.00-10.04  sec   681 MBytes   569 Mbits/sec            receiver
>
> camellia256-sha384
> 0.00-10.00  sec   593 MBytes   498 Mbits/sec            sender
> 0.00-10.04  sec   591 MBytes   493 Mbits/sec            receiver
>
> 3des-sha384
> 0.00-10.00  sec   231 MBytes   194 Mbits/sec            sender
> 0.00-10.05  sec   229 MBytes   191 Mbits/sec            receiver
>
>
> 200 bytes MSS:
>
> throughput without any tunnel ipsec (only routing):
> 0.00-10.00  sec   795 MBytes   667 Mbits/sec            sender
> 0.00-10.04  sec   792 MBytes   662 Mbits/sec            receiver
>
> chacha20poly1305
> 0.00-10.00  sec   549 MBytes   460 Mbits/sec            sender
> 0.00-10.04  sec   546 MBytes   456 Mbits/sec            receiver
>
> aes256-sha384
> 0.00-10.00  sec   499 MBytes   418 Mbits/sec            sender
> 0.00-10.04  sec   496 MBytes   414 Mbits/sec            receiver
>
> camellia128-sha384
> 0.00-10.00  sec   403 MBytes   338 Mbits/sec            sender
> 0.00-10.04  sec   399 MBytes   333 Mbits/sec            receiver
>
> camellia256-sha384
> 0.00-10.00  sec   362 MBytes   303 Mbits/sec            sender
> 0.00-10.04  sec   359 MBytes   300 Mbits/sec            receiver
>
> 3des-sha384
> 0.00-10.00  sec   177 MBytes   148 Mbits/sec            sender
> 0.00-10.04  sec   173 MBytes   145 Mbits/sec            receiver
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180313/ada76444/attachment.sig>

More information about the Users mailing list