[Openswan Users] [Ocf-linux-users] IPSec L2tpv3 throughput low using Netkey kernel stack
Paul Wouters
paul at xelerance.com
Tue May 24 23:44:32 EDT 2011
On Wed, 18 May 2011, Paul Wouters wrote:
> Subject: Re: [Ocf-linux-users] [Openswan Users] IPSec L2tpv3 throughput low
> using Netkey kernel stack
Remind me to bring the Xelerance internal wiki pages on openswan / ocf benchmarking
to the public wiki. They're currently on a VM I don't have access to. But ping me
in a few days when I have access to these if I haven't posted them.
We found various tweaks to increase the traffic and got numbers that were comparable
in speed despite the SAref support overhead for L2TP/Transport Mode. This was using
cryptosoft with KLIPS on SMP machines without crypto offload hardware.
A few notes:
- Do not run iperf on the IPsec machines but on machines behind those.
- Run multiple TCP streams to reduce effects of a single stalled/lost packet
- Play a LOT with the MTU sizes
- Different brands of eth cards make a huge difference
- Disable various nic card offloading/checksumming
- Ensure the OCF buffers are high enough.Openswan's _startklips script tries
to do this for you based on CPUs, but not based on hardware crypto offload.
Specifically look at:
/sys/module/ocf/parameters/crypto_q_max
/sys/module/ipsec/parameters/ipsec_irs_cache_allocated_max
/sys/module/ipsec/parameters/ipsec_ixs_cache_allocated_max
Paul
More information about the Users
mailing list