[Openswan Users] [Ocf-linux-users] IPSec L2tpv3 throughput low using Netkey kernel stack

Paul Wouters paul at xelerance.com
Tue May 24 23:44:32 EDT 2011


On Wed, 18 May 2011, Paul Wouters wrote:

> Subject: Re: [Ocf-linux-users] [Openswan Users] IPSec L2tpv3 throughput low
>     using Netkey kernel stack

Remind me to bring the Xelerance internal wiki pages on openswan / ocf benchmarking
to the public wiki. They're currently on a VM I don't have access to. But ping me
in a few days when I have access to these if I haven't posted them.

We found various tweaks to increase the traffic and got numbers that were comparable
in speed despite the SAref support overhead for L2TP/Transport Mode. This was using
cryptosoft with KLIPS on SMP machines without crypto offload hardware.

A few notes:

- Do not run iperf on the IPsec machines but on machines behind those.
- Run multiple TCP streams to reduce effects of a single stalled/lost packet
- Play a LOT with the MTU sizes
- Different brands of eth cards make a huge difference
- Disable various nic card offloading/checksumming
- Ensure the OCF buffers are high enough.Openswan's _startklips script tries
   to do this for you based on CPUs, but not based on hardware crypto offload.
   Specifically look at:
    /sys/module/ocf/parameters/crypto_q_max
    /sys/module/ipsec/parameters/ipsec_irs_cache_allocated_max
    /sys/module/ipsec/parameters/ipsec_ixs_cache_allocated_max

Paul


More information about the Users mailing list