Strongswan slow on Linksys EA8300 (quadcore armv7 cpu)

Hi all,

I'm running OpenWRT for quite some years now and my Linksys EA8300 is happily running version 22.03.01. I have three ipsec vpn's using Strongswan. For some reason, these vpn's are quite slow on this router. No improvements have been seen with earlier versions of OpenWRT/LEDE.

I have a 111/33 Mbit VDSL2 internet connection. I've tested the speed with iperf3, one running on a VPS on internet which is connected through ipsec. The second test was with a public iperf3 server: ping.online.net. Between my host and this server there was of cource no ipsec vpn.

I've tested locally on an amd64 box which is connected wired to the network. With this command I tested with the public server:

iperf3 -t 60 -p 5200 -c ping.online.net

The result:

Connecting to host ping.online.net, port 5200
[  5] local 10.109.0.10 port 55784 connected to 62.210.18.40 port 5200
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  4.08 MBytes  34.2 Mbits/sec    0    259 KBytes       
[  5]   1.00-2.00   sec  4.78 MBytes  40.1 Mbits/sec    0    444 KBytes       
[  5]   2.00-3.00   sec  3.91 MBytes  32.8 Mbits/sec  140    375 KBytes   

[....]

[  5]  58.00-59.00  sec  3.98 MBytes  33.4 Mbits/sec    0    325 KBytes       
[  5]  59.00-60.00  sec  3.98 MBytes  33.4 Mbits/sec    0    331 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-60.00  sec   219 MBytes  30.6 Mbits/sec  442             sender
[  5]   0.00-60.00  sec   217 MBytes  30.3 Mbits/sec                  receiver

The bitrate was about 30 Mbps, which is as expected when my VDSL upload channel is about 33 Mbps.

The next check was through the vpn:

iperf3 -t 60 -c 10.77.241.1
Connecting to host 10.77.241.1, port 5201
[  5] local 10.109.0.10 port 33856 connected to 10.77.241.1 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   256 KBytes  2.09 Mbits/sec   44   5.35 KBytes       
[  5]   1.00-2.00   sec   123 KBytes  1.01 Mbits/sec   18   5.35 KBytes       
[  5]   2.00-3.00   sec   154 KBytes  1.26 Mbits/sec   18   5.35 KBytes 

[...]

[  5]  58.00-59.00  sec   154 KBytes  1.26 Mbits/sec   14   4.01 KBytes       
[  5]  59.00-60.00  sec   123 KBytes  1.01 Mbits/sec   16   4.01 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-60.00  sec  8.15 MBytes  1.14 Mbits/sec  938             sender
[  5]   0.00-60.02  sec  8.10 MBytes  1.13 Mbits/sec                  receiver

So really much slower. The cpu wasn't reaching for 100% usage at both tests. There was not seen any increase in the load on the system.

Is there something I can do about this? Or is the cpu too slow for encrypting the traffic?

These are the settings in ipsec.conf:

conn server_on_internet
    ##fragmentation=yes
    dpdaction=restart
    ike=aes256-sha256-ecp384!
    esp=aes256-sha256-ecp384!
    keyingtries=%forever
    keyexchange=ikev2
    type=tunnel
    forceencaps=yes
    left=xxx.xxx.xxx.xxx
    leftsubnet=10.109.0.0/24
    leftauth=secret
    right=yyy.yyy.yyy.yyy
    rightsubnet=10.77.240.0/23
    rightauth=secret
    auto=start

Someone on the Strongswan wiki has raised the same question (and has the same cpu, I believe): https://wiki.strongswan.org/issues/3348

I've got no idea if hardware encryption is enabled. There's an answer someone suggesting using strongswan-mod-libipsec which does the encrytion in userland. I tried it, but no tunnel would come up. Maybe someone can tell how to configure Strongswan with this module?

Thank you,
Alexander