[Swan] Libreswan Performance
Paul Wouters
paul at nohats.ca
Wed Mar 29 16:59:54 UTC 2017
On Wed, 29 Mar 2017, Craig Marker wrote:
> I didn’t mean for my terminology of ‘Libreswan Performance’ to distract from the real problem I am facing. When I run an IPsec tunnel
> using Libreswan as a distribution, I’m seeing a single core be CPU bound solely be soft interrupts. I understand that it may not inherently
> be a problem with Libreswan, but I figured those using it might be most aware of certain kernel tweaks that improve performance.
>
> Here is the summation output of mpstat -p ALL while the iperf3 client/server stream was running.
>
> Average: CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle
> Average: all 0.84 0.00 0.29 0.02 0.00 26.26 0.00 0.00 0.00 72.59
> Average: 0 0.49 0.00 0.18 0.03 0.00 0.00 0.00 0.00 0.00 99.30
> Average: 1 0.05 0.00 0.03 0.00 0.00 99.25 0.00 0.00 0.00 0.67
> Average: 2 0.98 0.00 0.58 0.04 0.00 0.18 0.00 0.00 0.00 98.22
> Average: 3 2.01 0.00 0.40 0.01 0.00 0.79 0.00 0.00 0.00 96.79
>
>
> With that, is there a kernel version you would recommend trying? Are there certain kernel settings you would investigate/tweak?
Oh I misunderstood.
You can try increasing the replay-window or disabling replay detection
using replay-window=64 or replay-window=0
Ensure you are using AES_GCM as ESP algorithm for best performance.
You can try to load the pcrypt kernel module to use multiple CPU's, but
the documentation of the pcrypt module is non-existent and existing
examples you find on a google search are wrong. I would be interested
if you can get this to work.
There are also ethernet hardware and offload tweaking that is possible.
Some links that might help:
https://libreswan.org/wiki/Benchmarking_and_Performance_testing
https://wiki.strongswan.org/projects/strongswan/wiki/Pcrypt
Paul
More information about the Swan
mailing list