[Openswan Users] [Ocf-linux-users] IPSec L2tpv3 throughput low using Netkey kernel stack

[Kim Phillips]

On Tue, 17 May 2011 14:27:59 -0400
Paul Wouters <paul at xelerance.com> wrote:

> On Mon, 16 May 2011, Vasanth Ragavendran wrote:
> 
> > but when the Sec driver is configured as module into the kernel the module doesn;t get inserted
> > gives segmentation fault and if the Sec driver is configured as non-module type the kernel doesn't
> > bootsup at all!
> 
> David might be able to help with this. The ubsec driver is mostly used on linksys/asus machines,
> perhaps yours is slightly different?

Based on the freescale URL posted to users at openswan, I assume you're
referring to the "SEC23DRVRS" driver?  That is a standalone driver,
and won't be of use unless you're prepared to write code to
integrate it into your IPsec stack.

Known working (to me at least) IPsec offload configuration for the
8315 should be NETKEY with CONFIG_CRYPTO_DEV_TALITOS configured in
a vanilla kernel.  To be able to tell whether h/w crypto offload is
in operation, see 'grep talitos /proc/interrupts' run.

> Note that slow throughput could also be caused by fragmentation as a result of the extra IPsec
> header space, causing you to encrypt two packets for every one unencrypted packet. Try setting
> your LAN MTU to 1400 and see if the problem remains?

or lower?  Whether this is causing the problem can be verified by
comparing no-encryption vs. 'null' algorithm encryption.

Kim