strongswan ikev2 slow on FreeBSD (DigitalOcean)
Zhihao Yuan
lichray at gmail.com
Thu Jul 2 00:42:35 UTC 2015
It might be hypervisor's problem because they use KVM, but here are
some information I have:
DO smallest instance.
> uname -a
FreeBSD megashadow2 10.2-PRERELEASE FreeBSD 10.2-PRERELEASE #3
r284996: Wed Jul 1 17:58:13 UTC 2015
freebsd at megashadow2:/usr/obj/usr/src/sys/DOIPSEC amd64
cryptotest w/wo -p -- 2Gb/s, 400Mb/s, aesni, cryptodev present.
strongswan ipsec.conf:
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
NAT done through one simple pf rule.
natstat -inw1 shows no error, no drop, just very small packets (10K-30K) even
for large data.
Top two functions in pmcstat -TS instructions -w1 are kernel
rijndaelEncrypt and sha1_step are the top two consuming function,
10%-20% for each.
TSO, IPSEC_DEBUG do not matter.
Boost performance is same as Ubuntu 15 (300kb/s in ssh, downloading to
my laptop), but most of the time is < 100kb/s, and overall speed is
50% slower. Uploading is good.
--
Zhihao Yuan, ID lichray
The best way to predict the future is to invent it.
___________________________________________________
4BSD -- http://bit.ly/blog4bsd
More information about the freebsd-net
mailing list