[Swan] Libreswan Performance tests

Paul Wouters paul at nohats.ca
Fri Jan 9 15:55:59 EET 2015

On Fri, 9 Jan 2015, Muenz, Michael wrote:

> for a small project I have 2 Nexcom NSA3150 appliances here and did some 
> performance testing.
> Thought you would be interested in too.
> The setup is 2 boxes with a L3 Cataylst between doing the routing. Behind the 
> Firewalls 2 PC's. On every system Debian 8 is installed.
> Libreswan 3.12 is installed via deb's, KLIPS used, AES256/SHA1/DH14 IKEv1.

It would be interesting to see the numbers for the same esp= tests we
did at https://libreswan.org/wiki/Benchmarking_and_Performance_testing

Note the IKE performance testing is much harder to do and we did not do
that. On normal IKE/IPsec servers, the amount of crypto done by IKE is
nothing compared to the crypto done by IPsec/ESP.

> This setup will be online for the next week. If someone wants me to test some 
> extra stuff, e.g. some sysctl tuning, just drop me a line.
> Throughput of over 600mibt is very impressive, cause only one CPU is around 
> 50-100% and load is 0.

I'd be interested in the esp= algos listed on the above libreswan page.
Note that some of those algorithms are not available for KLIPS.

(My tests on the IBM x3550m4 failed to run properly for KLIPS, so I
could only provide NETKEY numbers. KLIPS worked for simple pings, but
running iperf it just locked up)

Note that on embedded platforms, you might see a lot of gain using the
OCF kernel module (ocf.ko with cryptosoft.ko) with KLIPS for those
crypto hardware drivers supported by Linux natively. OCF will also allow
KLIPS to use multiple CPU cores, which it cannot do without OCF.
See _stackmanager for some OCF detection/configuration if you are not
using _stackmanager on your embedded platform to start libreswan.

> [ 3] 0.0-10.0 sec 275 MBytes 231 Mbits/sec

It would be good if we could compare plaintext speeds with IPsec speeds,
so that we have an idea of what the cost is for enabling IPsec on those

Note also that for LAN connections and high speed interfaces (10GigE)
you should really set the MTU to 9000 or else you won't see more than
1Gbps. The ethtool output might also be useful to verify various
hardware offload settings which can get in the way of performance when
running IPsec.

I would love to add  some summaries of hardware and performance on our
libreswan benchmarking page with links to yours if we can get the
additional information (hardware, cpu model, ram, nic brands, etc)


More information about the Swan mailing list