Menu
▾
▴
Re: [Shorewall-users] Poor ipsec performance with policy match
|
From: Michael L. <ml...@wg...> - 2005-01-30 23:25:08
|
--On Sunday, January 30, 2005 17:59 +0100 Ralf Schenk <rs...@da...> wrote: > Hello ! > > I have a performance issue with Kernel 2.6.X and policy match support as > suggested in http://shorewall.net/IPSEC-2.6.html. My IPSEC performance > doesn't exeed about 30kbyte/sec even if my downlink is 1024kbit/sec and > should reach more than 100kbyte/sec. > > No, its not the cpu's performance (AMD Barton 2500+) and no it's not the > gateway (CELERON 600 Mhz) on the remote side. I disagree. Crypto is pretty hard on those little celerons. HEll I see massive performance hits using scp/ssh on Piii600s and 1gig machines. Celerons are not performance CPUs. Add to that the ppp overhead, I can easily see it being the CPU. Have you ever run top or vmstat and watched the CPU idle % during any of this? > Shorewall is 2.2.0RC5, should be upgraded today... > I use Openswan 2.3.0 on both distros. ESP was set tried with AES and > Blowfish, doesn't matter. Crypto is hard, takes a LOT of CPU. Try running some throughput measurements with vmstat on both ends and record their output. (say vmstat 5 over the course of 30sec-1minute with traffic flowing first in one direction, then the other). |