-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello John,
It is likely that that is caused by insufficient crypto processing capabilities on either side, so packets need to be dropped, as the transmit/receive buffers are full. A solution to this problem is to distribute the work load over several kernels using pcrypt[1]. [1] https://wiki.strongswan.org/projects/strongswan/wiki/Pcrypt Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 30.05.2015 um 23:57 schrieb jsulli...@opensourcedevel.com: > Hello, all. We are attempting to use StrongSWAN on a fast (1 Gbps CIR one > side > and 4x10Gbps on the other) with about 80ms latency so pretty high bandwidth > delay product. The traffic is GRE/IPSec. Our benchmarks show we can saturate > the 1 Gbps side with just GRE sustaining high 800 low 900 Mbps. When we > activate IPSec, we plummet to around 40 Mbps - maybe we'll hit 400 Mbps on > occasion. > > This seems to be a TCP windowing problem provoked by TCP segment > retransmissions. When we use nstat between runs, GRE shows virtually no > segment > retransmissions where GRE/IPSec shows thousands. GRE tunnel MTU is 1412 so it > should be fine for both transport and tunnel mode. > > sanitized config is: > > type=transport > esp=aes128gcm8-modp1024 > > leftprotoport=47 > rightprotoport=47 > dpddelay=9 > dpdtimeout=30 > compress=yes > > keyingtries=20 > keylife=60m > rekeymargin=5m > ikelifetime=3h > mobike=no > > authby=rsasig > rightrsasigkey=%cert > > nat_traversal=yes > charonstart=yes > plutostart=yes > > > > We are using intel cards with igb on one side and ixgbe on the other. > > What do we need to do to eliminate the lost packets and where can we see the > drops? I don't see them on any queues, qdiscs - no stats showing packet drops. > Thanks - John > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVajNHAAoJEDg5KY9j7GZYv0sQAJB1ZDJvO5JWQ1jaAyexe1fk YwvugHH7FAY6mQH0glVct2Ro1+/c0hRCHgnjIKF6ICQkz6GxcHxbJzr+fnGON31c faoIVgCm4gxCjHR6Tcj1DMC8I6vDeUJ7nM7rGqs1XXN/+H3vLD+KRK9p0RC3mn85 jc1HWCdyDjdjiNEO7ENi6SUYFkYnuiBIcmbroTcIP+FVvnWd/DHAUKSCxGedVTeO 0izwkKwGPw9bYkBk2l1Q9K+jccpFoyBzFeMKHnrTQ+hzC46qCGbXNmJklVg9vlHX H6BszfBdKAiDQ5SOaMe955f8RVynWpktZ2FpistfBylrnCyVfBVsDQXXF9BT9287 tUsVfGbeA+4rCVrlLb/wiciqFLCP95bxITCaxW+3cYEYxNnr1wn5I2MRFRWeJrQL /HVrWtPqcWTFC+G7kt0XfmMdhsCtIURRt1q0k0ULTqVpALXRbJ+ksFR+zS7X1Hiy h9wy9jpa4v13Yg8vdOFofn6pe/Dv9/SNnLwfzJpmdit9U4A4QW2C/hZB31EmkuLK GSTCAZguAKnu/QOlN2zUqRLsAVpb4QlnqLqLJkvbnvooJu80OI7t95asutf5B+9i 3JAunbtHSlci//uYl59/6lvgfFFKvXNxVH9YMsbS+G2Cn0RIQzj6e0ZdSNXFwRxy 877iMnpvaZdPPlNZ0r6g =vgw7 -----END PGP SIGNATURE----- _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users