All, I’m working with Strongswan 5.3.2 on Centos 7.1 (also 6.6).
This is a totally greenfield implementation so I have some latitude as we control both ends of the link (and both will be running Strongswan). I’m working with pcrypt and have successfully implemented it. As the instances are running in Amazon AWS, we’ll need to run NAT-T. I’m looking for others experiences in tuning /etc/sysctl.conf for a high-volume S2S router over NAT-T. Bandwidth between sites is effectively unlimited but ~ 1-2Gbps based on instance type we’re running. I’m doing some tweaking of UDP parameters and gaining some ground. I wondered others thoughts on whether any of the TCP parameters need tuned on the routers? Traffic will be predominantly TCP but there will be some UDP mixed in there too. Lots of file transfer traffic via SMB and FTP. Looking at AES-GCM for efficiency and AES-NI is supported by their processors. Right now we’re seeing about 350-400Mbps throughput on instances with 4 cores and 8GB of RAM (iperf3) /etc/sysctl.conf so far has UDP at net.ipv4.udp_mem = 262144 873800 16777216 net.ipv4.udp_rmem_min = 262144 net.ipv4.udp_wmem_min = 262144 Traffic seems to be bursty. We’ll see high throughput, then fall off, then recover. Thoughts appreciated on parameters or where to look for any issues and thanks in advance EKG
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
