On Wed, 29 Mar 2017, Craig Marker wrote:
I didn’t mean for my terminology of ‘Libreswan Performance’ to distract from the real problem I am facing. When I run an IPsec tunnel using Libreswan as a distribution, I’m seeing a single core be CPU bound solely be soft interrupts. I understand that it may not inherently be a problem with Libreswan, but I figured those using it might be most aware of certain kernel tweaks that improve performance.Here is the summation output of mpstat -p ALL while the iperf3 client/server stream was running. Average: CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle Average: all 0.84 0.00 0.29 0.02 0.00 26.26 0.00 0.00 0.00 72.59 Average: 0 0.49 0.00 0.18 0.03 0.00 0.00 0.00 0.00 0.00 99.30 Average: 1 0.05 0.00 0.03 0.00 0.00 99.25 0.00 0.00 0.00 0.67 Average: 2 0.98 0.00 0.58 0.04 0.00 0.18 0.00 0.00 0.00 98.22 Average: 3 2.01 0.00 0.40 0.01 0.00 0.79 0.00 0.00 0.00 96.79 With that, is there a kernel version you would recommend trying? Are there certain kernel settings you would investigate/tweak?
Oh I misunderstood. You can try increasing the replay-window or disabling replay detection using replay-window=64 or replay-window=0 Ensure you are using AES_GCM as ESP algorithm for best performance. You can try to load the pcrypt kernel module to use multiple CPU's, but the documentation of the pcrypt module is non-existent and existing examples you find on a google search are wrong. I would be interested if you can get this to work. There are also ethernet hardware and offload tweaking that is possible. Some links that might help: https://libreswan.org/wiki/Benchmarking_and_Performance_testing https://wiki.strongswan.org/projects/strongswan/wiki/Pcrypt Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
