<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">

Hey Paul,

<div class=""><br class="">

</div>

<div class="">I took the advice you mentioned, and have gotten the pcrypt module working. Surprisingly, Strongswan’s wiki provided me enough information</div>

<div class="">to get it working on my system. Thanks for the quick feedback! Of note, I was not able to get the crconf way working..</div>

<div class=""><br class="">

</div>

<div class="">I’m on kernel version 3.10.0-514.10.2.el7.x86_64 and am running Centos 7.3.</div>

<div class=""><br class="">

</div>

<div class="">Interestingly, though, depending on sequence of events, I either get dramatically better performance, or my system reboots! The dramatically</div>

<div class="">better performance is an improvement from ~230Mbps to upwards of 500/600Mbps. That is awesome! However, the sequence that causes reboot</div>

<div class="">is the sequence I would prefer to run on my system.</div>

<div class=""><br class="">

</div>

<div class="">The sequence that works successfully is as follows: **Note: all modprobe commands are ONLY run on tunnel endpoint A. </div>

<div class=""><br class="">

</div>

<div class="">1. Reboot system</div>

<div class="">2. Connect IPsec tunnels, configuration shown below</div>

<div class="">3. modprobe pcrypt</div>

<div class="">4. modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3</div>

<div class="">5. Reconnect IPsec tunnels, same configuration.</div>

<div class=""><br class="">

</div>

<div class="">The sequence that causes reboot is as follows:</div>

<div class=""><br class="">

</div>

<div class="">1. Reboot system</div>

<div class="">2. modprobe pcrypt</div>

<div class="">3. modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3</div>

<div class="">4. Connect IPsec tunnels, configuration shown below.</div>

<div class="">5. Ping across tunnel</div>

<div class=""><br class="">

</div>

<div class=""><br class="">

</div>

<div class="">Tunnel endpoint A:</div>

<div class="">

<div class="">config setup</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dumpdir=/var/run/pluto/</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>protostack=netkey</div>

<div class=""><br class="">

</div>

<div class=""># begin conn local</div>

<div class="">conn local</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=10.200.0.210</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftid="@client"</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftsubnet=0.0.0.0/0</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftcert=client</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightid="@is1"</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightsubnet=0.0.0.0/0</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=10.200.0.92</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-routing=no</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encapsulation=yes</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark=1/0xffffffff</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-interface=vti01</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2alg=aes_gcm-null</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auto=ignore</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>type=tunnel</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>compress=no</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>pfs=yes</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikepad=yes</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2=esp</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikev2=permit</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>esn=no</div>

<div class=""># end conn local</div>

</div>

<div class=""><br class="">

</div>

<div class="">Tunnel endpoint B:</div>

<div class="">

<div class="">config setup</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dumpdir=/var/run/pluto/</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>protostack=netkey</div>

<div class=""><br class="">

</div>

<div class=""># begin conn local</div>

<div class="">conn local</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=10.200.0.210</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftid="@client"</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftsubnet=0.0.0.0/0</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightid="@is1"</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightsubnet=0.0.0.0/0</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=10.200.0.92</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightcert=server</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-routing=no</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encapsulation=yes</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark=1/0xffffffff</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-interface=vti01</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2alg=aes_gcm-null</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auto=ignore</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>type=tunnel</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>compress=no</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>pfs=yes</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikepad=yes</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2=esp</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikev2=permit</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>esn=no</div>

<div class=""># end conn local</div>

</div>

<div class=""><br class="">

</div>

<div class="">I’m going to keep looking to try and understand why this is happening. There is nothing in the logs that raises any red flags. Let me know</div>

<div class="">if you can think of anything I should look out for. I’ve tried playing around with the sequence a bit, but none of my attempts have been</div>

<div class="">successful</div>

<div class=""><br class="">

</div>

<div class="">

<div class="">

<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">

--</div>

<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">

cm</div>

</div>

<br class="">

<div>

<blockquote type="cite" class="">

<div class="">On Mar 29, 2017, at 9:59 AM, Paul Wouters <<a href="mailto:paul@nohats.ca" class="">paul@nohats.ca</a>> wrote:</div>

<div class="">

<div class=""><br class="">

Oh I misunderstood.<br class="">

<br class="">

You can try increasing the replay-window or disabling replay detection<br class="">

using replay-window=64 or replay-window=0<br class="">

<br class="">

Ensure you are using AES_GCM as ESP algorithm for best performance.<br class="">

<br class="">

You can try to load the pcrypt kernel module to use multiple CPU's, but<br class="">

the documentation of the pcrypt module is non-existent and existing<br class="">

examples you find on a google search are wrong. I would be interested<br class="">

if you can get this to work.<br class="">

<br class="">

There are also ethernet hardware and offload tweaking that is possible.<br class="">

<br class="">

Some links that might help:<br class="">

<br class="">

<a href="https://libreswan.org/wiki/Benchmarking_and_Performance_testing" class="">https://libreswan.org/wiki/Benchmarking_and_Performance_testing</a><br class="">

https://wiki.strongswan.org/projects/strongswan/wiki/Pcrypt<br class="">

<br class="">

Paul<br class="">

</div>

</div>

</blockquote>

</div>

<br class="">

</div>

</body>

</html>