Hi all,
I am totally new to linux and strongswan, but after countless hours of
reading mailing lists and forums, I have working strongswan 5.2.0 with
radius and RSA certficates auth for a variety of devices. Currently I am
stuck with performance problem (iperf) throw IPSec tunnel from notebook
(win8) to server, which are connected throw switch.
My server is dual CPU (Xeon E5-2620v2 with AES-NI support) / 6x2 cores
(HyperThreading dissabled) / Intel 1Gbps NIC / CentOS v6.5.
Without IPSec I get 640Mbits, cpu load is 18% (one core). Speed quite
low, I suspect its because of switch. Will try with crossover cable
later.
------------------------------------------------------------
Client connecting to 10.20.0.1, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[ 3] local 10.0.0.11 port 54248 connected with 10.20.0.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 767 MBytes 643 Mbits/sec
With IPSec I get only 181Mbps, cpu load is 14%
------------------------------------------------------------
Client connecting to 10.20.0.1, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[ 3] local 10.20.0.3 port 54513 connected with 10.20.0.1 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 216 MBytes 181 Mbits/sec
I am really stuck here, any ideas what could be wrong? I would
appreciate any help
Here is openssl speed test for aes-128-gcm, which shows 506MBps speed:
------------------------------------------------------------
[root@s1 /]# openssl speed -evp aes-128-gcm
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes
aes-128-gcm 205988.85k 506637.18k 654777.26k 708192.94k
727229.15k
My ipsec.conf:
------------------------------------------------------------
conn %default
auto=add
forceencaps=yes
compress=yes
keyexchange=ike
ikelifetime=3h
lifetime=1h
rekeymargin=3m
margintime=9m
left=%defaultroute
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=server-10.0.0.3.crt
leftfirewall=no
right=%any
rightsourceip=10.20.0.2/16
rightdns=212.59.1.1
conn win7_EAP
keyexchange=ikev2
ike=aes128gcm8-sha256-modp1024
esp=aes128gcm8-sha256-modp1024
dpdaction=clear
dpddelay=300s
rekey=no
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
