Project

General

Profile

Issue #3348

Very low speed on ARM router (IPQ4019, 4 cores)

Added by kay kay about 1 month ago. Updated 12 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.8.2
Resolution:

Description

In #3346 I configured MIPS based router to have an ipsec tunnel with a ~16mbit/s speed. It consumed 100% CPU.

The same strongSwan configuration on ARM router with the hardware encryption gives 600 kbit/s for download an upload. I tried to disable an encryption with esp=null-sha1! and got 1mbit.

Then I decided to configure ipsec via tun interface:
  • no encryption: 50 mbit/s
  • with encryption: 30 mbit/s

It has absolutely the same ipsec configuration I used on a MIPS router. I don't understand why I get 600 kbit/s for both download and upload. Any advice is appreciated.

History

#1 Updated by kay kay about 1 month ago

Probably there are some problems with encryption in kernel. How can I force strongSwan to use openssl for all the encryption routines? With openssl I can specify whether I want to use HW or software encryption. I suppose this will provide more information about what is wrong.

#2 Updated by Tobias Brunner about 1 month ago

  • Status changed from New to Feedback

How can I force strongSwan to use openssl for all the encryption routines?

You'd have to use the kernel-libipsec plugin to handle IPsec in userland.

#3 Updated by kay kay about 1 month ago

Then it appears that in userland kernel-libipsec plugin has better performance rather than kernel... Now I wonder how can I disable hardware encryption in kernel. I already removed devcrypto and af_alg kernel modules, but it looks like I need to unregister encryption methods from the /proc/crypto. Any idea how to do this, or is it hardcompiled in kernel?

#4 Updated by Noel Kuntze about 1 month ago

The problem might also be wrong MSS or MTU values. Try fixing the MSS to 1300 and test it again. (Without using a dedicated interface of course).

#5 Updated by kay kay about 1 month ago

I set the same iptables rule I did before on MIPS:

iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1201:1536 -j TCPMSS --set-mss 1200
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1201:1536 -j TCPMSS --set-mss 1200

and I also unset mtu/mss from the /etc/strongswan.d/charon/kernel-netlink.conf, because these options interfered with iptables rules on MIPS router.

#6 Updated by Noel Kuntze about 1 month ago

Okay, and load is 100% on the ARM router, too?
You can check what the kernel does by using the perf kernel utility. (E.g. perf top). It has to be installed first though.

#7 Updated by kay kay about 1 month ago

nope, CPU load on ARM in this case is ~5-10%. I'll check the perf top and let you know.

#8 Updated by kay kay 13 days ago

Latest tests with the ARM CPU (Speedtest by Ookla CLI tool):

With iptables on the router below:

iptables -t mangle -I FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1301:1536 -j TCPMSS --set-mss 1300
iptables -t mangle -I FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1301:1536 -j TCPMSS --set-mss 1300

I get:

    Latency:    30.89 ms   (2.69 ms jitter)
   Download:     1.76 Mbps (data used: 2.0 MB)                               
     Upload:     1.32 Mbps (data used: 685.2 kB)

Without these rules on the router I get:

   Download:     1.56 Mbps (data used: 1.9 MB)                               
     Upload:     0.01 Mbps (data used: 0.01 MB)

I also ran some tests, when I set these rules on the remote ipsec router. Same results.

#9 Updated by kay kay 13 days ago

Within userspace (no iptables rules on client strongswan and server strongswan) I get:

    Latency:    37.50 ms   (0.73 ms jitter)
   Download:    30.70 Mbps (data used: 53.8 MB)
     Upload:    30.68 Mbps (data used: 53.1 MB)

Do you still think it is an MTU issue?

#10 Updated by Noel Kuntze 13 days ago

Probably still an MTU issue. Please try changing the MTU on the routes in table 220 to 1400. E.g. ip route replace default [...] mtu 1400. Or set it in strongswan.d/charon/kernel-netlink.conf.

#11 Updated by kay kay 13 days ago

Probably still an MTU issue. Please try changing the MTU on the routes in table 220 to 1400. E.g. ip route replace default [...] mtu 1400. Or set it in strongswan.d/charon/kernel-netlink.conf.

on the remote side or on the local router side?

#12 Updated by Noel Kuntze 13 days ago

I'd do it on the local router side.

#13 Updated by kay kay 12 days ago

Same results. 1.6 download and 0.01 upload.

$ ip r show table 220
default via 100.200.0.1 dev pppoe proto static src 10.25.9.1 mtu 1400

Tried with MTU 1300 as well.

Also available in: Atom PDF