[Openswan Users] GBit performance

David McCullough David_Mccullough at securecomputing.com
Sun Nov 29 17:19:00 EST 2009


Jivin Paul Wouters lays it down ...
> On Fri, 27 Nov 2009, Michael Schwartzkopff wrote:
> 
> > We want to use plain linux servers a a VPN gateway to encrypt up to 1 GBit/s.
> >
> > If this possible with standard servers?
> > If yes, what servers (CPU, dual-core, quad-core, speed) would you suggest?
> 
> Sure. a modern cpu should do fine. No need to go insane.
> 
> > If I need hardware acceleration: Is there a good guide for:
> 
> No. hardware acceleration is mostly useful for embedded devices with tiny
> CPU's
> 
> > - What cards / chips really work?
> 
> Intel, HiFN?
> 
> > - What additional software do I need?
> 
> OCF support enabled in openswan
> 
> > - Do I need to patch anything (kernel, openswan, ...)?
> 
> You'd need KLIPS with OCF.

If you run a very recent kernel (2.6.31 for example) then you should be
able to get HW acceleration using netkey and the kernel crypto API.
There are a number of supported solutions in there,  Hifn and VIA included.

I haven't done any benchmarks to compare with OCF but based on what I know
about it,  it *should* be similar in performance.

In theory (might need 2.6.32,  not sure) you can also use an SMP servers
with lots of cores and distrbute the SW crypto across the cores when running
netkey.

That only caveat is that,  while I have seen patched for all this on the
linux-crypto mailing list,  I am not 100% sure if all of them have been
accepted upstream.

Cheers,
Davidm

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org


More information about the Users mailing list