Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 24 Apr 2015 03:06:39 +0200
From:      Sydney Meyer <meyer.sydney@googlemail.com>
To:        freebsd-net@freebsd.org
Subject:   Re: IPSec Performance under Xen
Message-ID:  <A10060B0-49B9-420F-8A95-A132E0CBCA5E@gmail.com>
In-Reply-To: <553995A6.60603@FreeBSD.org>
References:  <CF189888-FD6B-4407-8360-56206D49DD6D@gmail.com> <55397FB3.6080702@yandex.ru> <079851FA-50AC-47E8-B4BE-D97DE4C185B5@gmail.com> <553995A6.60603@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
You're right.. strongswan fails/hangs with:

initiating IKE_SA host-host[1] to 10.0.30.66
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) =
N(HASH_ALG) ]
sending packet: from 10.0.30.114[500] to 10.0.30.66[500] (1148 bytes)
received packet: from 10.0.30.66[500] to 10.0.30.114[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) =
N(HASH_ALG) N(MULT_AUTH) ]
authentication of 'sun.strongswan.org' (myself) with pre-shared key
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH =
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) =
N(EAP_ONLY) ]
sending packet: from 10.0.30.114[4500] to 10.0.30.66[4500] (444 bytes)
retransmit 1 of request with message ID 1
sending packet: from 10.0.30.114[4500] to 10.0.30.66[4500] (444 bytes)
retransmit 2 of request with message ID 1
sending packet: from 10.0.30.114[4500] to 10.0.30.66[4500] (444 bytes)
..


S.

> On Apr 24, 2015, at 03:00, Andrey V. Elsukov <ae@FreeBSD.org> wrote:
>=20
> On 24.04.2015 03:55, Sydney Meyer wrote:
>> Andrey,
>>=20
>> with your patch applied the performance drop while using the
>> IPSEC-enabled kernel without doing actual IPSec traffic seems to be
>> gone.
>>=20
>> I haven't tested IPSec itself yet, as i had to start from scratch
>> with new VM's but i will set up a IPSec connection and report back.
>=20
> Thank you. But I think something will not work if you try it with =
IPSec.
> Probably if you use some IKE software, it will not work with this =
patch.
>=20
> --=20
> WBR, Andrey V. Elsukov

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A10060B0-49B9-420F-8A95-A132E0CBCA5E>