[ovs-discuss] Replacing IPsec-GRE tunnel ports

Bolesław Tokarski boleslaw.tokarski at gmail.com
Sat Nov 19 21:31:32 UTC 2016 

Hi, Ansis,

I've got a performance problem with my setup - I've got 1Mbps speed
reported by iperf3, while the physical link is 1Gbps. As you seem to be the
only one using StrongSwan with OVS around, you are my only hope :]

So - two physical hosts, running OpenSUSE 42.1, with kernel 4.1.34,
StrongSwan 5.2.2, OVS 2.3.3 (with your strongswan ovs patch). Tunnel
established with ipsec_gre port on ipv4, connection established with
StrongSwan, MTU on interfaces set to 1400. iperf3 between host interfaces.

I managed to narrow down the scope of the 1Mbps speed issue to StrongSwan
IPsec+GRE+OVS+VLAN tagging. Without VLAN tags I achieve 885Mbps. With
Racoon+GRE+OVS+VLAN tagging I also get ~870-880 Mbps.

Did you happen to test StrongSwan with OVS and VLAN tagging with regards to
performance?

I can provide you with more details if you'd like to replicate the issue,
but perhaps that's something you have seen already?

Best regards,
Bolesław Tokarski


2016-11-19 13:55 GMT+01:00 Bolesław Tokarski <boleslaw.tokarski at gmail.com>:

> Hi, Ansis,
>
> I tried your openvswitch-ipsec patch for strongswan on my current OVS 2.3
> installation. Although I found it was written somewhere between 2.3 and
> 2.4, it was relatively easy to adapt it to run on 2.3.3. As I needed only
> gre_ipsec, I did not need to care this is only implemented from 2.4+.
>
> I tested it on OpenSUSE 42.1, strongswan 5.2.2, ovs 2.3.3 (with my patches
> and the strongswan patch).
>
> There's a minor bug in the patch, it wraps 'charon.plugins.kernel-netlink.xfrm_ack_expires
> = 10' in some garbage in front. The script generated
> /etc/ipsec.d/certs/ovs-$portname.pem, while I think strongswan expected
> that to be an IP address (unless I stumbled upon a cert issue I fixed
> later, details below). Also, I found it was required to specify 'local_ip'
> in ovs-vsctl, as strongswan fails to find the tunnel policy otherwise.
>
> I found StrongSwan to be very picky regarding certificates. I needed to
> specify an IP address in subjAltNames in the certificate.
>
> Beside that - the support you wrote looks like it works decently. I had
> some issues with racoon, with it not catching a certificate change, and
> failing desperately on one connection. Since it seems Strongswan is
> maintained better, it seems to be a good alternative.
>
> Thank you for this nice piece of code :)
>
> Regards,
> Bolesław Tokarski
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20161119/7547f1ea/attachment-0001.html>

More information about the discuss mailing list