Hello,
Well, we did some more testing here and it seems that Freeswan is off the hook
completely (sorry about the false alarm). In order to better gauge the problem,
we tried a few more sophisticated tests with our own programs.
For starters, I wrote a simple client-server system where the client wrote a
line (of about 80 bytes) and the recipient read the line. When I ran these on
the two tunnel machines on a point-to-point tunnel (no subnets behind them),
there was a 100% CPU load hit on the sending machine and we observed a rate of
about 50 Mbits/sec on the encrypted tunnel. This was in line with the formula
given on the Freeswan performance page. Furthermore, we noticed high CPU usage
on the sending machine, but not on the receiving machine, because the encryption
of the packets was the first bottleneck observed.
Further tests also confirmed that in the example below, the bottleneck really
was the receiving machine on the recipient subnet, although it is unclear why
the discrepancy occurred in the times (there was some additional latency to be
sure from using the tunnel, but not %100). Furthermore, if you are bottlenecking
on the connection, you should notice the effects primarily by analyzing the CPU
load on the sending machine.
Yours,
Jake
>> Hello,
>>
>> I'm having a problem here that I was wondering if the fine
>> people here at Freeswan could help diagnose. I am currently
>> sending a 1.7 MB file between two machines on subnets fronted
>> by Freeswan boxes. When I send the file directly from one
>> machine to another without the boxes, it takes 4-5 secs. When
>> I send it to the box on the incoming side (just testing the
>> routing only), it takes 5-6 secs. However, when I do it fully
>> between the two subnets on an encrypted tunnel, it can take
>> 12-20 secs to send. Needless to say, this is not really
>> encouraging for our performance checks.
>>
>> When I look at one of the gateways, it's not CPU-bound
>> according to either top or vmstat when sending the message.
>> It also is not network-bound since everything is on a 10-Mbit
>> switch. There is obviously a gating factor on the receiving
>> side even when I send the message unencrypted, but this would
>> not be responsible for the doubling in transmission times I'm seeing.
>>
>> Sending multiple copies in parallel takes proportionally
>> longer, suggesting it is not an issue of latency (more like
>> bandwith). More interestingly, when I send the message to two
>> different subnets each on a different tunnel, it takes around
>> the same time for both in parallel, further suggesting it's
>> not an issue of CPU or network gating.
>>
>> Both machines are Dell rackmount boxes with Dual Pentium IIIs
>> and Intel Epro 100 cards in them. I am willing to gather any
>> statistics or diagnostics that might help, but I am currently
>> quite befuddled about what is going on here. Does anybody
>> think they can help? Thanks.
>>
>> Yours,
>> Jake
>
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST