Hi,

> Has anyone else seen this problem with the ksoftirq thread reaching 100%?
> Is there anything that can be done to alleviate this problem?

The kernel handles ESP data path processing in this thread, and it is by
default limited to the single core that processes NIC interrupts. So you
basically just hit the encryption rate limit on your kernel.

> The box has a gig ethernet card (a Broadcom NetExtreme II), and is
> handling maybe around half its capacity.

This is actually what you can expect from todays commodity hardware
without further tweaks.

> I have seen this on boxes with aes-ni enabled and also disabled
> The cipher suite chosen is AES-128

AES-NI is quite powerful and should allow you to increase your
throughput. However, running AES in GCM mode is preferable, as using a
traditional HMAC integrity function could become the bottleneck
otherwise.

If that doesn't help, you might consider using parallelized ESP
processing [1], allowing you to take advantage of a multi-core system.

Regards
Martin

[1]https://www.strongswan.org/docs/Steffen_Klassert_Parallelizing_IPsec.pdf

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to