From owner-freebsd-net@FreeBSD.ORG  Fri Apr 24 01:06:44 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 39621617
 for <freebsd-net@freebsd.org>; Fri, 24 Apr 2015 01:06:44 +0000 (UTC)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com
 [IPv6:2a00:1450:400c:c05::236])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id CCC1F1BD5
 for <freebsd-net@freebsd.org>; Fri, 24 Apr 2015 01:06:43 +0000 (UTC)
Received: by widdi4 with SMTP id di4so4061022wid.0
 for <freebsd-net@freebsd.org>; Thu, 23 Apr 2015 18:06:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=googlemail.com; s=20120113;
 h=from:content-type:mime-version:subject:in-reply-to:date
 :content-transfer-encoding:message-id:references:to;
 bh=oJWETtAKgbskZ6JhmaP8doSqUTMqyI1Zs8j05eMI/8A=;
 b=jUgOKZc9XlEn7nrStyQRJMrYahmHd3qIHo0v63Bv4lskbcsPgtTkDt0G02GmML5MrP
 NXpqsB5kzDbFX2RhrEkivRqD0Z+ts6bLboz+29IpspTf9y0673hyLex4VrZN6wcAhTZ9
 HJF9zB8WVu9ag6WafD3l0jxbSQIZiSq8kXZfqEaBht8kTVcqZf19XC44MaDGCGZex0Ju
 PWXmM/m+Qp+j2TwmXPJT1rOjjhIkJB+KfLemr9hByGjgFc67CL56qCV0LLtgMvSqHxd5
 mNM2JgNbf/sSAkr1ybFQ8rqDnqMKySy/2AJ+PRd4IyYKLvWszmCX9bgVP8lOAUS69ljn
 do6w==
X-Received: by 10.180.92.228 with SMTP id cp4mr1831724wib.62.1429837602345;
 Thu, 23 Apr 2015 18:06:42 -0700 (PDT)
Received: from ?IPv6:2a02:a03f:a39:de00:9b8:308d:8797:6d7c?
 ([2a02:a03f:a39:de00:9b8:308d:8797:6d7c])
 by mx.google.com with ESMTPSA id cf12sm14567645wjb.10.2015.04.23.18.06.41
 for <freebsd-net@freebsd.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Thu, 23 Apr 2015 18:06:41 -0700 (PDT)
From: Sydney Meyer <meyer.sydney@googlemail.com>
X-Google-Original-From: Sydney Meyer <meyer.sydney@gmail.com>
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Subject: Re: IPSec Performance under Xen
In-Reply-To: <553995A6.60603@FreeBSD.org>
Date: Fri, 24 Apr 2015 03:06:39 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A10060B0-49B9-420F-8A95-A132E0CBCA5E@gmail.com>
References: <CF189888-FD6B-4407-8360-56206D49DD6D@gmail.com>
 <55397FB3.6080702@yandex.ru> <079851FA-50AC-47E8-B4BE-D97DE4C185B5@gmail.com>
 <553995A6.60603@FreeBSD.org>
To: freebsd-net@freebsd.org
X-Mailer: Apple Mail (2.2098)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2015 01:06:44 -0000

You're right.. strongswan fails/hangs with:

initiating IKE_SA host-host[1] to 10.0.30.66
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) =
N(HASH_ALG) ]
sending packet: from 10.0.30.114[500] to 10.0.30.66[500] (1148 bytes)
received packet: from 10.0.30.66[500] to 10.0.30.114[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) =
N(HASH_ALG) N(MULT_AUTH) ]
authentication of 'sun.strongswan.org' (myself) with pre-shared key
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH =
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) =
N(EAP_ONLY) ]
sending packet: from 10.0.30.114[4500] to 10.0.30.66[4500] (444 bytes)
retransmit 1 of request with message ID 1
sending packet: from 10.0.30.114[4500] to 10.0.30.66[4500] (444 bytes)
retransmit 2 of request with message ID 1
sending packet: from 10.0.30.114[4500] to 10.0.30.66[4500] (444 bytes)
..


S.

> On Apr 24, 2015, at 03:00, Andrey V. Elsukov <ae@FreeBSD.org> wrote:
>=20
> On 24.04.2015 03:55, Sydney Meyer wrote:
>> Andrey,
>>=20
>> with your patch applied the performance drop while using the
>> IPSEC-enabled kernel without doing actual IPSec traffic seems to be
>> gone.
>>=20
>> I haven't tested IPSec itself yet, as i had to start from scratch
>> with new VM's but i will set up a IPSec connection and report back.
>=20
> Thank you. But I think something will not work if you try it with =
IPSec.
> Probably if you use some IKE software, it will not work with this =
patch.
>=20
> --=20
> WBR, Andrey V. Elsukov