ipsec on multicore VM
Eugene Grosbein
eugen at grosbein.net
Thu Oct 17 10:24:02 UTC 2019
09.10.2019 2:05, Victor Gamov wrote:
> I have FreeBSD 11.2-STABLE #0 r343863 VM with 2 CPU and vxnet3 NIC. This host uses many if_ipsec and strongswan-5.7.2 to make site-to-site ipsec connections.
>
> When I use `tcpdump -nn -i <ext_iface> src <site1_ext_ip> and esp` then I got many reordered IPsec packets.
>
> Does tcpdump give me a real picture and I have reordering somewhere "on the wire" or packets may be reordered due more then one CPU read packets from NIC ?
You may easily verify your suspiction disabling SMP inside the guest system temporary:
nextboot -k kernel
echo kern.smp.disabled=1 >> /boot/nextboot.conf
shutdown -r now
This way, the system will perform one-time boot with all cores but one disabled.
Should it experience any problems booting this way, another reset of the VM will boot it normally,
otherwise try running tcpdump while single CPU is used by kernel.
More information about the freebsd-net
mailing list