how to optimize performance of nfs running inside Strongswan ipsec transport on 10Gb network
Clash Royale CLAN TAG#URR8PPP
0
Host1: Ubuntu 18.04
Host2: Freebsd 11.2
Here is my situation... I have 2 hosts on a 10G lan that have Strongswan IPsec transport configured between them to secure nfsv3. (Yes, I know nfsv3 is old and i should move on, but reasons...). As soon as I set the MTU to 9000 for the last link in the chain (host2 interface, 10G switch interface, other 10G switch interface, host1 interface) my nfs mount seems to hang.
I believe I have 2 problems to solve. 1st, once my ipsec connection is up, my performance, as measured through iperf3, drops from 9.4Gb/sec to ~800Mb/sec. 2nd, the NFS mount can't do anything once the tunnel is up and all related interfaces are using mtu 9000.
So, what should I do to increase my ipsec performance over a 10G LAN and what is wrong my NFS?
Host1 is mounting host2 via NFS using this fstab entry:
host2:/exports/share /mnt/storage nfs
_netdev,nofail,noatime,nolock,tcp,actimeo=1800 0 0
Since this a 10G lan I updated the kernel options for both systems to be more 10G lan optimized.
Host1 kernel tunings in /etc/sysctl.d/10-mychanges.conf
# Maximum receive socket buffer size
net.core.rmem_max = 134217728
# Maximum send socket buffer size
net.core.wmem_max = 134217728
# Minimum, initial and max TCP Receive buffer size in Bytes
net.ipv4.tcp_rmem = 4096 87380 134217728
# Minimum, initial and max buffer space allocated
net.ipv4.tcp_wmem = 4096 65536 134217728
# Maximum number of packets queued on the input side
net.core.netdev_max_backlog = 300000
# Auto tuning
net.ipv4.tcp_moderate_rcvbuf = 1
# Don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
# The Hamilton TCP (HighSpeed-TCP) algorithm is a packet loss based congestion control and is more aggressive pushing up to max bandwidth (total BDP) and favors hosts with lower TTL / VARTTL.
net.ipv4.tcp_congestion_control=htcp
# If you are using jumbo frames set this to avoid MTU black holes.
net.ipv4.tcp_mtu_probing = 1
Host1 ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn host-host
left=192.168.0.4
leftid=@host1
leftcert=/etc/ipsec.d/certs/host_cert.pem
right=192.168.0.5
rightid=@host2
auto=add
authby=rsasig
type=transport
compress=no
Host2 (freebsd)
# $FreeBSD: releng/11.2/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
# set to at least 16MB for 10GE hosts
kern.ipc.maxsockbuf=16777216
# set autotuning maximum to at least 16MB too
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.recvbuf_max=16777216
# enable send/recv autotuning
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
# increase autotuning step size
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_inc=524288
# set this on test/measurement hosts
net.inet.tcp.hostcache.expire=1
# Set congestion control algorithm to Cubic or HTCP
# Make sure the module is loaded at boot time - check loader.conf
# net.inet.tcp.cc.algorithm=cubic
net.inet.tcp.cc.algorithm=htcp
Host2 ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn host-host
left=192.168.0.5
leftid=@host2
leftcert=/usr/local/etc/ipsec.d/certs/host_cert.pem
right=192.168.0.4
rightid=@host1
auto=add
authby=rsasig
type=transport
compress=no
nfs ipsec strongswan
asked Jan 11 at 1:59
StackShinStackShin
1
add a comment |
0
Host1: Ubuntu 18.04
Host2: Freebsd 11.2
Here is my situation... I have 2 hosts on a 10G lan that have Strongswan IPsec transport configured between them to secure nfsv3. (Yes, I know nfsv3 is old and i should move on, but reasons...). As soon as I set the MTU to 9000 for the last link in the chain (host2 interface, 10G switch interface, other 10G switch interface, host1 interface) my nfs mount seems to hang.
I believe I have 2 problems to solve. 1st, once my ipsec connection is up, my performance, as measured through iperf3, drops from 9.4Gb/sec to ~800Mb/sec. 2nd, the NFS mount can't do anything once the tunnel is up and all related interfaces are using mtu 9000.
So, what should I do to increase my ipsec performance over a 10G LAN and what is wrong my NFS?
Host1 is mounting host2 via NFS using this fstab entry:
host2:/exports/share /mnt/storage nfs
_netdev,nofail,noatime,nolock,tcp,actimeo=1800 0 0
Since this a 10G lan I updated the kernel options for both systems to be more 10G lan optimized.
Host1 kernel tunings in /etc/sysctl.d/10-mychanges.conf
# Maximum receive socket buffer size
net.core.rmem_max = 134217728
# Maximum send socket buffer size
net.core.wmem_max = 134217728
# Minimum, initial and max TCP Receive buffer size in Bytes
net.ipv4.tcp_rmem = 4096 87380 134217728
# Minimum, initial and max buffer space allocated
net.ipv4.tcp_wmem = 4096 65536 134217728
# Maximum number of packets queued on the input side
net.core.netdev_max_backlog = 300000
# Auto tuning
net.ipv4.tcp_moderate_rcvbuf = 1
# Don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
# The Hamilton TCP (HighSpeed-TCP) algorithm is a packet loss based congestion control and is more aggressive pushing up to max bandwidth (total BDP) and favors hosts with lower TTL / VARTTL.
net.ipv4.tcp_congestion_control=htcp
# If you are using jumbo frames set this to avoid MTU black holes.
net.ipv4.tcp_mtu_probing = 1
Host1 ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn host-host
left=192.168.0.4
leftid=@host1
leftcert=/etc/ipsec.d/certs/host_cert.pem
right=192.168.0.5
rightid=@host2
auto=add
authby=rsasig
type=transport
compress=no
Host2 (freebsd)
# $FreeBSD: releng/11.2/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
# set to at least 16MB for 10GE hosts
kern.ipc.maxsockbuf=16777216
# set autotuning maximum to at least 16MB too
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.recvbuf_max=16777216
# enable send/recv autotuning
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
# increase autotuning step size
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_inc=524288
# set this on test/measurement hosts
net.inet.tcp.hostcache.expire=1
# Set congestion control algorithm to Cubic or HTCP
# Make sure the module is loaded at boot time - check loader.conf
# net.inet.tcp.cc.algorithm=cubic
net.inet.tcp.cc.algorithm=htcp
Host2 ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn host-host
left=192.168.0.5
leftid=@host2
leftcert=/usr/local/etc/ipsec.d/certs/host_cert.pem
right=192.168.0.4
rightid=@host1
auto=add
authby=rsasig
type=transport
compress=no
nfs ipsec strongswan
asked Jan 11 at 1:59
StackShinStackShin
1
Have you invested some time on removing the cpu bottleneck by increasing parallelism? - wiki.strongswan.org/projects/strongswan/wiki/Pcrypt - Don't know how it works on modern kernels, and it's been a long time i don't configure a strongswan/openswan based VPN.
– nwildner
Jan 11 at 15:21
After asking a colleague it looks like i didn't have aesni enabled on my OS. I went ahead and did that but strongswan on the FreeBSD host doesn't have the aesni plugin enabled. I tried manually adding file in /usr/local/etc/strongswan.d/charon/aesni.conf and restarting the service but that didn't seem to do the trick...
– StackShin
Jan 12 at 1:21
After loading the aesni module on FreeBSD(kldload aesni), any vpn software that supports should use it. What about if your colleague usesracooninstead of Strongswan at the FreeBSD side, just for testing? It's the suggested software for IPSec at the FreeBSD Handbook - freebsd.org/doc/handbook/ipsec.html
– nwildner
Jan 12 at 11:34
add a comment |
0
0
0
Host1: Ubuntu 18.04
Host2: Freebsd 11.2
Here is my situation... I have 2 hosts on a 10G lan that have Strongswan IPsec transport configured between them to secure nfsv3. (Yes, I know nfsv3 is old and i should move on, but reasons...). As soon as I set the MTU to 9000 for the last link in the chain (host2 interface, 10G switch interface, other 10G switch interface, host1 interface) my nfs mount seems to hang.
I believe I have 2 problems to solve. 1st, once my ipsec connection is up, my performance, as measured through iperf3, drops from 9.4Gb/sec to ~800Mb/sec. 2nd, the NFS mount can't do anything once the tunnel is up and all related interfaces are using mtu 9000.
So, what should I do to increase my ipsec performance over a 10G LAN and what is wrong my NFS?
Host1 is mounting host2 via NFS using this fstab entry:
host2:/exports/share /mnt/storage nfs
_netdev,nofail,noatime,nolock,tcp,actimeo=1800 0 0
Since this a 10G lan I updated the kernel options for both systems to be more 10G lan optimized.
Host1 kernel tunings in /etc/sysctl.d/10-mychanges.conf
# Maximum receive socket buffer size
net.core.rmem_max = 134217728
# Maximum send socket buffer size
net.core.wmem_max = 134217728
# Minimum, initial and max TCP Receive buffer size in Bytes
net.ipv4.tcp_rmem = 4096 87380 134217728
# Minimum, initial and max buffer space allocated
net.ipv4.tcp_wmem = 4096 65536 134217728
# Maximum number of packets queued on the input side
net.core.netdev_max_backlog = 300000
# Auto tuning
net.ipv4.tcp_moderate_rcvbuf = 1
# Don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
# The Hamilton TCP (HighSpeed-TCP) algorithm is a packet loss based congestion control and is more aggressive pushing up to max bandwidth (total BDP) and favors hosts with lower TTL / VARTTL.
net.ipv4.tcp_congestion_control=htcp
# If you are using jumbo frames set this to avoid MTU black holes.
net.ipv4.tcp_mtu_probing = 1
Host1 ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn host-host
left=192.168.0.4
leftid=@host1
leftcert=/etc/ipsec.d/certs/host_cert.pem
right=192.168.0.5
rightid=@host2
auto=add
authby=rsasig
type=transport
compress=no
Host2 (freebsd)
# $FreeBSD: releng/11.2/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
# set to at least 16MB for 10GE hosts
kern.ipc.maxsockbuf=16777216
# set autotuning maximum to at least 16MB too
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.recvbuf_max=16777216
# enable send/recv autotuning
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
# increase autotuning step size
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_inc=524288
# set this on test/measurement hosts
net.inet.tcp.hostcache.expire=1
# Set congestion control algorithm to Cubic or HTCP
# Make sure the module is loaded at boot time - check loader.conf
# net.inet.tcp.cc.algorithm=cubic
net.inet.tcp.cc.algorithm=htcp
Host2 ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn host-host
left=192.168.0.5
leftid=@host2
leftcert=/usr/local/etc/ipsec.d/certs/host_cert.pem
right=192.168.0.4
rightid=@host1
auto=add
authby=rsasig
type=transport
compress=no
nfs ipsec strongswan
asked Jan 11 at 1:59
StackShinStackShin
1
Host1: Ubuntu 18.04
Host2: Freebsd 11.2
Here is my situation... I have 2 hosts on a 10G lan that have Strongswan IPsec transport configured between them to secure nfsv3. (Yes, I know nfsv3 is old and i should move on, but reasons...). As soon as I set the MTU to 9000 for the last link in the chain (host2 interface, 10G switch interface, other 10G switch interface, host1 interface) my nfs mount seems to hang.
I believe I have 2 problems to solve. 1st, once my ipsec connection is up, my performance, as measured through iperf3, drops from 9.4Gb/sec to ~800Mb/sec. 2nd, the NFS mount can't do anything once the tunnel is up and all related interfaces are using mtu 9000.
So, what should I do to increase my ipsec performance over a 10G LAN and what is wrong my NFS?
Host1 is mounting host2 via NFS using this fstab entry:
host2:/exports/share /mnt/storage nfs
_netdev,nofail,noatime,nolock,tcp,actimeo=1800 0 0
Since this a 10G lan I updated the kernel options for both systems to be more 10G lan optimized.
Host1 kernel tunings in /etc/sysctl.d/10-mychanges.conf
# Maximum receive socket buffer size
net.core.rmem_max = 134217728
# Maximum send socket buffer size
net.core.wmem_max = 134217728
# Minimum, initial and max TCP Receive buffer size in Bytes
net.ipv4.tcp_rmem = 4096 87380 134217728
# Minimum, initial and max buffer space allocated
net.ipv4.tcp_wmem = 4096 65536 134217728
# Maximum number of packets queued on the input side
net.core.netdev_max_backlog = 300000
# Auto tuning
net.ipv4.tcp_moderate_rcvbuf = 1
# Don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
# The Hamilton TCP (HighSpeed-TCP) algorithm is a packet loss based congestion control and is more aggressive pushing up to max bandwidth (total BDP) and favors hosts with lower TTL / VARTTL.
net.ipv4.tcp_congestion_control=htcp
# If you are using jumbo frames set this to avoid MTU black holes.
net.ipv4.tcp_mtu_probing = 1
Host1 ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn host-host
left=192.168.0.4
leftid=@host1
leftcert=/etc/ipsec.d/certs/host_cert.pem
right=192.168.0.5
rightid=@host2
auto=add
authby=rsasig
type=transport
compress=no
Host2 (freebsd)
# $FreeBSD: releng/11.2/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
# set to at least 16MB for 10GE hosts
kern.ipc.maxsockbuf=16777216
# set autotuning maximum to at least 16MB too
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.recvbuf_max=16777216
# enable send/recv autotuning
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
# increase autotuning step size
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_inc=524288
# set this on test/measurement hosts
net.inet.tcp.hostcache.expire=1
# Set congestion control algorithm to Cubic or HTCP
# Make sure the module is loaded at boot time - check loader.conf
# net.inet.tcp.cc.algorithm=cubic
net.inet.tcp.cc.algorithm=htcp
Host2 ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn host-host
left=192.168.0.5
leftid=@host2
leftcert=/usr/local/etc/ipsec.d/certs/host_cert.pem
right=192.168.0.4
rightid=@host1
auto=add
authby=rsasig
type=transport
compress=no
nfs ipsec strongswan
nfs ipsec strongswan
asked Jan 11 at 1:59
StackShinStackShin
1
asked Jan 11 at 1:59
StackShinStackShin
1
asked Jan 11 at 1:59
StackShinStackShin
1
asked Jan 11 at 1:59
StackShinStackShin
1
asked Jan 11 at 1:59
StackShinStackShin
1
1
Have you invested some time on removing the cpu bottleneck by increasing parallelism? - wiki.strongswan.org/projects/strongswan/wiki/Pcrypt - Don't know how it works on modern kernels, and it's been a long time i don't configure a strongswan/openswan based VPN.
– nwildner
Jan 11 at 15:21
After asking a colleague it looks like i didn't have aesni enabled on my OS. I went ahead and did that but strongswan on the FreeBSD host doesn't have the aesni plugin enabled. I tried manually adding file in /usr/local/etc/strongswan.d/charon/aesni.conf and restarting the service but that didn't seem to do the trick...
– StackShin
Jan 12 at 1:21
After loading the aesni module on FreeBSD(kldload aesni), any vpn software that supports should use it. What about if your colleague usesracooninstead of Strongswan at the FreeBSD side, just for testing? It's the suggested software for IPSec at the FreeBSD Handbook - freebsd.org/doc/handbook/ipsec.html
– nwildner
Jan 12 at 11:34
add a comment |
Have you invested some time on removing the cpu bottleneck by increasing parallelism? - wiki.strongswan.org/projects/strongswan/wiki/Pcrypt - Don't know how it works on modern kernels, and it's been a long time i don't configure a strongswan/openswan based VPN.
– nwildner
Jan 11 at 15:21
After asking a colleague it looks like i didn't have aesni enabled on my OS. I went ahead and did that but strongswan on the FreeBSD host doesn't have the aesni plugin enabled. I tried manually adding file in /usr/local/etc/strongswan.d/charon/aesni.conf and restarting the service but that didn't seem to do the trick...
– StackShin
Jan 12 at 1:21
After loading the aesni module on FreeBSD(kldload aesni), any vpn software that supports should use it. What about if your colleague usesracooninstead of Strongswan at the FreeBSD side, just for testing? It's the suggested software for IPSec at the FreeBSD Handbook - freebsd.org/doc/handbook/ipsec.html
– nwildner
Jan 12 at 11:34
Have you invested some time on removing the cpu bottleneck by increasing parallelism? - wiki.strongswan.org/projects/strongswan/wiki/Pcrypt - Don't know how it works on modern kernels, and it's been a long time i don't configure a strongswan/openswan based VPN.
– nwildner
Jan 11 at 15:21
Have you invested some time on removing the cpu bottleneck by increasing parallelism? - wiki.strongswan.org/projects/strongswan/wiki/Pcrypt - Don't know how it works on modern kernels, and it's been a long time i don't configure a strongswan/openswan based VPN.
– nwildner
Jan 11 at 15:21
After asking a colleague it looks like i didn't have aesni enabled on my OS. I went ahead and did that but strongswan on the FreeBSD host doesn't have the aesni plugin enabled. I tried manually adding file in /usr/local/etc/strongswan.d/charon/aesni.conf and restarting the service but that didn't seem to do the trick...
– StackShin
Jan 12 at 1:21
After asking a colleague it looks like i didn't have aesni enabled on my OS. I went ahead and did that but strongswan on the FreeBSD host doesn't have the aesni plugin enabled. I tried manually adding file in /usr/local/etc/strongswan.d/charon/aesni.conf and restarting the service but that didn't seem to do the trick...
– StackShin
Jan 12 at 1:21
After loading the aesni module on FreeBSD(
kldload aesni), any vpn software that supports should use it. What about if your colleague uses racoon instead of Strongswan at the FreeBSD side, just for testing? It's the suggested software for IPSec at the FreeBSD Handbook - freebsd.org/doc/handbook/ipsec.html– nwildner
Jan 12 at 11:34
After loading the aesni module on FreeBSD(
kldload aesni), any vpn software that supports should use it. What about if your colleague uses racoon instead of Strongswan at the FreeBSD side, just for testing? It's the suggested software for IPSec at the FreeBSD Handbook - freebsd.org/doc/handbook/ipsec.html– nwildner
Jan 12 at 11:34
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493853%2fhow-to-optimize-performance-of-nfs-running-inside-strongswan-ipsec-transport-on%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493853%2fhow-to-optimize-performance-of-nfs-running-inside-strongswan-ipsec-transport-on%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Have you invested some time on removing the cpu bottleneck by increasing parallelism? - wiki.strongswan.org/projects/strongswan/wiki/Pcrypt - Don't know how it works on modern kernels, and it's been a long time i don't configure a strongswan/openswan based VPN.
– nwildner
Jan 11 at 15:21
After asking a colleague it looks like i didn't have aesni enabled on my OS. I went ahead and did that but strongswan on the FreeBSD host doesn't have the aesni plugin enabled. I tried manually adding file in /usr/local/etc/strongswan.d/charon/aesni.conf and restarting the service but that didn't seem to do the trick...
– StackShin
Jan 12 at 1:21
After loading the aesni module on FreeBSD(
kldload aesni), any vpn software that supports should use it. What about if your colleague usesracooninstead of Strongswan at the FreeBSD side, just for testing? It's the suggested software for IPSec at the FreeBSD Handbook - freebsd.org/doc/handbook/ipsec.html– nwildner
Jan 12 at 11:34