IPSec Performance under Xen
Sydney Meyer
meyer.sydney at googlemail.com
Fri Apr 24 01:06:44 UTC 2015
You're right.. strongswan fails/hangs with:
initiating IKE_SA host-host[1] to 10.0.30.66
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 10.0.30.114[500] to 10.0.30.66[500] (1148 bytes)
received packet: from 10.0.30.66[500] to 10.0.30.114[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
authentication of 'sun.strongswan.org' (myself) with pre-shared key
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.0.30.114[4500] to 10.0.30.66[4500] (444 bytes)
retransmit 1 of request with message ID 1
sending packet: from 10.0.30.114[4500] to 10.0.30.66[4500] (444 bytes)
retransmit 2 of request with message ID 1
sending packet: from 10.0.30.114[4500] to 10.0.30.66[4500] (444 bytes)
..
S.
> On Apr 24, 2015, at 03:00, Andrey V. Elsukov <ae at FreeBSD.org> wrote:
>
> On 24.04.2015 03:55, Sydney Meyer wrote:
>> Andrey,
>>
>> with your patch applied the performance drop while using the
>> IPSEC-enabled kernel without doing actual IPSec traffic seems to be
>> gone.
>>
>> I haven't tested IPSec itself yet, as i had to start from scratch
>> with new VM's but i will set up a IPSec connection and report back.
>
> Thank you. But I think something will not work if you try it with IPSec.
> Probably if you use some IKE software, it will not work with this patch.
>
> --
> WBR, Andrey V. Elsukov
More information about the freebsd-net
mailing list