Hi, we are connecting two nearby data centers through a high bandwidth but not perfectly secure optimal fiber. so we want to add a layer of encryption on that. that is when we decided to give libreswan a try.
the hardware we use is supermicro twins server with X520 NIC(82599es rev 1), OS is CentOS 7 upgraded to the latest version. The kernel we tried are stock CentOS kernel(3.x), elrepo kernel-ml(5.1.x) as a result we managed to improve its bandwidth to 5 Gbps(single tcp thread) by upgrading the kernel to elrepo's latest kernel-ml and libreswan software with source code pulled from github, with nic-offload set to no and phase 2 algorithm set to aes_gcm128-null. the kernel thread run 100% of the thread's cpu with the current configuration. but here is the problem: we checked about ethtool -k ens1p0, it says esp-hw-offload: on. so we decided to fully utilize it. we set nic-offload to yes, which led to ip xfrm state having lines says ```crypt offload .... dev ens1p0``` but after that, the bandwidth drop to 28 Mbps. and whether i set nic-offload to yes on the receiving side, as long as i set it to yes on sending side, it drops to 28 Mbps. cpu is almost idle on every core. I thought that it could be a issue related to the driver so i'm wondering how to diagnose that and if i could help to resolve this problem _______________________________________________ E1000-devel mailing list E1000-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
