1) I received about 2 Mbyte/s data over vpnc 0.5.4 in Linux Centos 6 64 bit, vpnc cpu load from both top and htop was about 50% of 1.8 MHz cpu, is this normal or is there any way to reduce cpu usage, I tried to profile with callgrind and it seems to spend most time in libgcrypt, could it be I am using an old libgcrypt or any steps to take to reduce cpu usage/load or is it expected behaviour. The connection is reliable, but cpu usage overloads the system to some extent, could it be possible to disable encryption.
2) how could I determine cpu usage of Cisco vpn client, which is launched by a user space vpnclient, it uses a cisco_ipsec.ko kernel module, but this module's cpu usage does not show up from top or htop, how could I find out the Cisco vpn client cpu usage to emerge the kernel module cpu share under the same conditions as above vpnc because it appears not to use any cpu, which is not likely.
Thank you for any informations, kindly.
my configuration :
[root@centos6 vpnc-0.5.3]# uname -a
Linux centos6 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27 19:49:27 BST 2011 x86_64 x86_64 x86_64 GNU/Linux
[root@centos6 vpnc-0.5.3]# ./vpnc --debug 2
vpnc version 0.5.3
S1 init_sockaddr
[2011-09-12 21:42:06]
S2 make_socket
[2011-09-12 21:42:06]
S3 setup_tunnel
[2011-09-12 21:42:06]
using interface tun0
S4 do_phase1_am
[2011-09-12 21:42:06]
S4.1 create_nonce
[2011-09-12 21:42:06]
S4.2 dh setup
[2011-09-12 21:42:06]
S4.3 AM packet_1
[2011-09-12 21:42:06]
S4.4 AM_packet2
[2011-09-12 21:42:06]
(Cisco Unity)
(Xauth)
(DPD)
(Nat-T 02N)
(unknown)
(unknown)
got ike lifetime attributes: 2147483 seconds
IKE SA selected psk+xauth-aes128-md5
peer is DPD capable (RFC3706)
peer is NAT-T capable (draft-02)\n
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
S4.5 AM_packet3
[2011-09-12 21:42:06]
NAT status: this end behind NAT? YES -- remote end behind NAT? no
NAT-T mode, adding non-esp marker
S4.6 cleanup
[2011-09-12 21:42:06]
S5 do_phase2_xauth
[2011-09-12 21:42:06]
S5.1 xauth_start
[2011-09-12 21:42:06]
S5.2 notice_check
[2011-09-12 21:42:06]
S5.3 type-is-xauth check
[2011-09-12 21:42:06]
S5.4 xauth type check
[2011-09-12 21:42:06]
S5.5 do xauth authentication
[2011-09-12 21:42:06]
NAT-T mode, adding non-esp marker
S5.2 notice_check
[2011-09-12 21:42:06]
S5.3 type-is-xauth check
[2011-09-12 21:42:06]
S5.6 process xauth response
[2011-09-12 21:42:06]
NAT-T mode, adding non-esp marker
S5.7 xauth done
[2011-09-12 21:42:06]
S6 do_phase2_config
[2011-09-12 21:42:06]
S6.1 phase2_config send modecfg
[2011-09-12 21:42:06]
NAT-T mode, adding non-esp marker
S6.2 phase2_config receive modecfg
[2011-09-12 21:42:06]
got save password setting: 0
got 8 acls for split include
acl 0: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 1: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 2: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 3: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 4: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 5: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 6: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 7: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
got pfs setting: 0
Remote Application Version: Cisco Systems, Inc PIX-515E Version 7.0(6) built by builders on Tue 22-Aug-06 13:22
got address 10.10.10.21
S7 setup_link (phase 2 + main_loop)
[2011-09-12 21:42:06]
S7.0 run interface setup script
[2011-09-12 21:42:06]
S7.1 QM_packet1
[2011-09-12 21:42:07]
S7.2 QM_packet2 send_receive
[2011-09-12 21:42:07]
NAT-T mode, adding non-esp marker
S7.3 QM_packet2 validate type
[2011-09-12 21:42:07]
S7.4 process and skip lifetime notice
[2011-09-12 21:42:07]
got ike lifetime attributes: 7200 seconds
S7.2 QM_packet2 send_receive
[2011-09-12 21:42:07]
NAT-T mode, adding non-esp marker
S7.3 QM_packet2 validate type
[2011-09-12 21:42:07]
S7.5 QM_packet2 check reject offer
[2011-09-12 21:42:07]
S7.6 QM_packet2 check and process proposal
[2011-09-12 21:42:07]
got ipsec lifetime attributes: 2147483 seconds
IPSEC SA selected aes128-md5
got ipsec lifetime attributes: 28800 seconds
NAT-T mode, adding non-esp marker
S7.7 QM_packet3 sent
[2011-09-12 21:42:07]
S7.8 setup ipsec tunnel
[2011-09-12 21:42:07]
S7.9 main loop (receive and transmit ipsec packets)
[2011-09-12 21:42:07]
remote -> local spi: 0x5191a475
local -> remote spi: 0x1acc57e9
VPNC started in background (pid: 7964)...
[root@centos6 vpnc-0.5.3]# ldd ./vpnc
linux-vdso.so.1 => (0x00007fffe0dff000)
libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x0000003728600000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003185000000)
libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x000000372b600000)
libc.so.6 => /lib64/libc.so.6 (0x0000003184c00000)
/lib64/ld-linux-x86-64.so.2 (0x0000003184800000)
2) how could I determine cpu usage of Cisco vpn client, which is launched by a user space vpnclient, it uses a cisco_ipsec.ko kernel module, but this module's cpu usage does not show up from top or htop, how could I find out the Cisco vpn client cpu usage to emerge the kernel module cpu share under the same conditions as above vpnc because it appears not to use any cpu, which is not likely.
Thank you for any informations, kindly.
my configuration :
[root@centos6 vpnc-0.5.3]# uname -a
Linux centos6 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27 19:49:27 BST 2011 x86_64 x86_64 x86_64 GNU/Linux
[root@centos6 vpnc-0.5.3]# ./vpnc --debug 2
vpnc version 0.5.3
S1 init_sockaddr
[2011-09-12 21:42:06]
S2 make_socket
[2011-09-12 21:42:06]
S3 setup_tunnel
[2011-09-12 21:42:06]
using interface tun0
S4 do_phase1_am
[2011-09-12 21:42:06]
S4.1 create_nonce
[2011-09-12 21:42:06]
S4.2 dh setup
[2011-09-12 21:42:06]
S4.3 AM packet_1
[2011-09-12 21:42:06]
S4.4 AM_packet2
[2011-09-12 21:42:06]
(Cisco Unity)
(Xauth)
(DPD)
(Nat-T 02N)
(unknown)
(unknown)
got ike lifetime attributes: 2147483 seconds
IKE SA selected psk+xauth-aes128-md5
peer is DPD capable (RFC3706)
peer is NAT-T capable (draft-02)\n
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
peer is using type 130 (ISAKMP_PAYLOAD_NAT_D_OLD) for NAT-Discovery payloads
S4.5 AM_packet3
[2011-09-12 21:42:06]
NAT status: this end behind NAT? YES -- remote end behind NAT? no
NAT-T mode, adding non-esp marker
S4.6 cleanup
[2011-09-12 21:42:06]
S5 do_phase2_xauth
[2011-09-12 21:42:06]
S5.1 xauth_start
[2011-09-12 21:42:06]
S5.2 notice_check
[2011-09-12 21:42:06]
S5.3 type-is-xauth check
[2011-09-12 21:42:06]
S5.4 xauth type check
[2011-09-12 21:42:06]
S5.5 do xauth authentication
[2011-09-12 21:42:06]
NAT-T mode, adding non-esp marker
S5.2 notice_check
[2011-09-12 21:42:06]
S5.3 type-is-xauth check
[2011-09-12 21:42:06]
S5.6 process xauth response
[2011-09-12 21:42:06]
NAT-T mode, adding non-esp marker
S5.7 xauth done
[2011-09-12 21:42:06]
S6 do_phase2_config
[2011-09-12 21:42:06]
S6.1 phase2_config send modecfg
[2011-09-12 21:42:06]
NAT-T mode, adding non-esp marker
S6.2 phase2_config receive modecfg
[2011-09-12 21:42:06]
got save password setting: 0
got 8 acls for split include
acl 0: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 1: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 2: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 3: addr: 192.168.128.163/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 4: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 5: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 6: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
acl 7: addr: 192.168.128.164/ 255.255.255.255 (32), protocol: 0, sport: 0, dport: 0
got pfs setting: 0
Remote Application Version: Cisco Systems, Inc PIX-515E Version 7.0(6) built by builders on Tue 22-Aug-06 13:22
got address 10.10.10.21
S7 setup_link (phase 2 + main_loop)
[2011-09-12 21:42:06]
S7.0 run interface setup script
[2011-09-12 21:42:06]
S7.1 QM_packet1
[2011-09-12 21:42:07]
S7.2 QM_packet2 send_receive
[2011-09-12 21:42:07]
NAT-T mode, adding non-esp marker
S7.3 QM_packet2 validate type
[2011-09-12 21:42:07]
S7.4 process and skip lifetime notice
[2011-09-12 21:42:07]
got ike lifetime attributes: 7200 seconds
S7.2 QM_packet2 send_receive
[2011-09-12 21:42:07]
NAT-T mode, adding non-esp marker
S7.3 QM_packet2 validate type
[2011-09-12 21:42:07]
S7.5 QM_packet2 check reject offer
[2011-09-12 21:42:07]
S7.6 QM_packet2 check and process proposal
[2011-09-12 21:42:07]
got ipsec lifetime attributes: 2147483 seconds
IPSEC SA selected aes128-md5
got ipsec lifetime attributes: 28800 seconds
NAT-T mode, adding non-esp marker
S7.7 QM_packet3 sent
[2011-09-12 21:42:07]
S7.8 setup ipsec tunnel
[2011-09-12 21:42:07]
S7.9 main loop (receive and transmit ipsec packets)
[2011-09-12 21:42:07]
remote -> local spi: 0x5191a475
local -> remote spi: 0x1acc57e9
VPNC started in background (pid: 7964)...
[root@centos6 vpnc-0.5.3]# ldd ./vpnc
linux-vdso.so.1 => (0x00007fffe0dff000)
libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x0000003728600000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003185000000)
libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x000000372b600000)
libc.so.6 => /lib64/libc.so.6 (0x0000003184c00000)
/lib64/ld-linux-x86-64.so.2 (0x0000003184800000)