IPsec performance issue

My device is gl-inet b1300, an ipq4029 router, flashed with OpenWrt latest snapshot firmware, it is my home lan's gateway, and I set up an IPsec server with strongswan on it. Everything looks good, no error message, but I encounter some strange performance issues. I tested following scenarios:

Youtube App → IPsec → b1300 → ISP's PPPoE link → youtube.com(udp protocol), seems good, I can playback 1080p video smoothly.

Browser → IPsec → b1300 → ISP‘s PPPoE link → websites(tcp protocol), I can browser sites, but feels laggy. And Speedtest App showed very low speed, under 1Mbps.

nPlayer App → IPsec → b1300 → ethernet → NAS(smb and DLNA protocol), I can browser playlist, but can't playback videos, very very laggy.

File Manager App → IPsec → b1300 → ethernet → http server, very low speed, ~30KBps.

I tested iPhone, Android phone, and Windows 10 notebook, almost the same results.

I also set up strongswan server on a MT7621 router, an x86 machine, with the same minimal configuration, both of them works well, reached 40Mbps and 100Mbps.

I tried b1300's factory firmware too. It's a qsdk compiled firmware, based on OpenWrt 15, with 4.4 kernel and strongswan 5.3.3. I set up strongswan server with the same minimal configuration, and it works well too, reached about 40Mbps.

Because it seems a TCP related issue, I also tried to set TCP mss clamp or specified value on lan and wan interface, but no help. Indeed, There is no need to set MSS on my MT7621 and x86 testing server.

So this issue has been beyond my limited knowledge, I think it should be a low-level OpenWrt issue. I'm looking forward to help from experts. If any more information needed, please let me know.

Same problem with Asus AC58U and IPQ4018 devices.
If user space module (libipsec) is loaded speed is about 40Mbps with iperf.
But without libipsec same speed probem exists.
I'm looking for help too.

Thanks for providing more information.
It seems that all ipq40xx devices are affected.

Same here with Asus AC58U, strongswan ipsec speed never go beyond 40kB

I have found fix for IPsec.
CRYPTO_HW is enabled by default in kernel config.
If I disable it IPSec speed goes up to 50Mbits/s

Thanks. It works on my device too. Could you commit a Pull Request to the official repository?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.