[Swan] Need Help
Paul Wouters
paul at nohats.ca
Mon Oct 7 14:56:59 UTC 2019
On Fri, 4 Oct 2019, Raees Khan wrote:
> I am using Libreswan IPSec VPN in transport mode. (L2tpv3 over IPSec). We see a lag in one of our applications running
> between sites. Normally, it is 16 to 20 ms. however, every 7:45 it shows some lag / delay in application upto 400ms.
>
> We tested the performance of this connection. The communication delay (from end device to end device). During these tests we
> recognized a significant delay about every 7h 45min of 190 ms to 700 ms . After checking router config and logs we assumed
> the SA key exchange is responsible for the delay. The SA lifetime was configured to 8h. After changing the lifetime to 1h the
> delay occurred about every 45 min.
>
>
> This could be the CPU or Libreswan could be optimized to avoid this issue ?
>
>
> Any help would highly be appreciated.
You might see some speed improvements on libreswan 3.29 and (soon to be
rleeased) 3.30, as we did do some duplicate work with DH or authentication
in some cases.
Also check and see if you have AES-NI hardware acceleration and if so,
use aes_gcm and not aes-shaX.
You can also try pfs=no if not already set, but of course then you have
no perfect forward secrecy, but you willl do less DH calculations.
Paul
More information about the Swan
mailing list