Very low speed on ARM router (IPQ4019, 4 cores)
In #3346 I configured MIPS based router to have an ipsec tunnel with a ~16mbit/s speed. It consumed 100% CPU.
The same strongSwan configuration on ARM router with the hardware encryption gives 600 kbit/s for download an upload. I tried to disable an encryption with esp=null-sha1! and got 1mbit.Then I decided to configure ipsec via tun interface:
- no encryption: 50 mbit/s
- with encryption: 30 mbit/s
It has absolutely the same ipsec configuration I used on a MIPS router. I don't understand why I get 600 kbit/s for both download and upload. Any advice is appreciated.
#1 Updated by kay kay about 1 month ago
Probably there are some problems with encryption in kernel. How can I force strongSwan to use openssl for all the encryption routines? With openssl I can specify whether I want to use HW or software encryption. I suppose this will provide more information about what is wrong.
#3 Updated by kay kay about 1 month ago
Then it appears that in userland kernel-libipsec plugin has better performance rather than kernel... Now I wonder how can I disable hardware encryption in kernel. I already removed devcrypto and af_alg kernel modules, but it looks like I need to unregister encryption methods from the /proc/crypto. Any idea how to do this, or is it hardcompiled in kernel?
#5 Updated by kay kay about 1 month ago
I set the same iptables rule I did before on MIPS:
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1201:1536 -j TCPMSS --set-mss 1200 iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1201:1536 -j TCPMSS --set-mss 1200
and I also unset mtu/mss from the /etc/strongswan.d/charon/kernel-netlink.conf, because these options interfered with iptables rules on MIPS router.
Latest tests with the ARM CPU (Speedtest by Ookla CLI tool):
With iptables on the router below:
iptables -t mangle -I FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1301:1536 -j TCPMSS --set-mss 1300 iptables -t mangle -I FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1301:1536 -j TCPMSS --set-mss 1300
Latency: 30.89 ms (2.69 ms jitter) Download: 1.76 Mbps (data used: 2.0 MB) Upload: 1.32 Mbps (data used: 685.2 kB)
Without these rules on the router I get:
Download: 1.56 Mbps (data used: 1.9 MB) Upload: 0.01 Mbps (data used: 0.01 MB)
I also ran some tests, when I set these rules on the remote ipsec router. Same results.