Hi all,
I'm running OpenWRT for quite some years now and my Linksys EA8300 is happily running version 22.03.01. I have three ipsec vpn's using Strongswan. For some reason, these vpn's are quite slow on this router. No improvements have been seen with earlier versions of OpenWRT/LEDE.
I have a 111/33 Mbit VDSL2 internet connection. I've tested the speed with iperf3, one running on a VPS on internet which is connected through ipsec. The second test was with a public iperf3 server: ping.online.net. Between my host and this server there was of cource no ipsec vpn.
I've tested locally on an amd64 box which is connected wired to the network. With this command I tested with the public server:
iperf3 -t 60 -p 5200 -c ping.online.net
The result:
Connecting to host ping.online.net, port 5200
[ 5] local 10.109.0.10 port 55784 connected to 62.210.18.40 port 5200
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 4.08 MBytes 34.2 Mbits/sec 0 259 KBytes
[ 5] 1.00-2.00 sec 4.78 MBytes 40.1 Mbits/sec 0 444 KBytes
[ 5] 2.00-3.00 sec 3.91 MBytes 32.8 Mbits/sec 140 375 KBytes
[....]
[ 5] 58.00-59.00 sec 3.98 MBytes 33.4 Mbits/sec 0 325 KBytes
[ 5] 59.00-60.00 sec 3.98 MBytes 33.4 Mbits/sec 0 331 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-60.00 sec 219 MBytes 30.6 Mbits/sec 442 sender
[ 5] 0.00-60.00 sec 217 MBytes 30.3 Mbits/sec receiver
The bitrate was about 30 Mbps, which is as expected when my VDSL upload channel is about 33 Mbps.
The next check was through the vpn:
iperf3 -t 60 -c 10.77.241.1
Connecting to host 10.77.241.1, port 5201
[ 5] local 10.109.0.10 port 33856 connected to 10.77.241.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 256 KBytes 2.09 Mbits/sec 44 5.35 KBytes
[ 5] 1.00-2.00 sec 123 KBytes 1.01 Mbits/sec 18 5.35 KBytes
[ 5] 2.00-3.00 sec 154 KBytes 1.26 Mbits/sec 18 5.35 KBytes
[...]
[ 5] 58.00-59.00 sec 154 KBytes 1.26 Mbits/sec 14 4.01 KBytes
[ 5] 59.00-60.00 sec 123 KBytes 1.01 Mbits/sec 16 4.01 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-60.00 sec 8.15 MBytes 1.14 Mbits/sec 938 sender
[ 5] 0.00-60.02 sec 8.10 MBytes 1.13 Mbits/sec receiver
So really much slower. The cpu wasn't reaching for 100% usage at both tests. There was not seen any increase in the load on the system.
Is there something I can do about this? Or is the cpu too slow for encrypting the traffic?
These are the settings in ipsec.conf:
conn server_on_internet
##fragmentation=yes
dpdaction=restart
ike=aes256-sha256-ecp384!
esp=aes256-sha256-ecp384!
keyingtries=%forever
keyexchange=ikev2
type=tunnel
forceencaps=yes
left=xxx.xxx.xxx.xxx
leftsubnet=10.109.0.0/24
leftauth=secret
right=yyy.yyy.yyy.yyy
rightsubnet=10.77.240.0/23
rightauth=secret
auto=start
Someone on the Strongswan wiki has raised the same question (and has the same cpu, I believe): https://wiki.strongswan.org/issues/3348
I've got no idea if hardware encryption is enabled. There's an answer someone suggesting using strongswan-mod-libipsec which does the encrytion in userland. I tried it, but no tunnel would come up. Maybe someone can tell how to configure Strongswan with this module?
Thank you,
Alexander