Sorry for late response to my own thread :) After almost 2 years I got same performance issues. I have 2 test boxes (i5 CPU 650 @ 3.20GHz, 3192.42 MHz and i5-3470 CPU @ 3.20GHz, 3193.26 MHz) both with AES-NI support and this time I have a chance to reply with my results.
1) Without IPSEC I'm getting ± 920 Mbit/sec 2) With IPSEC and aes-128 or aes-256 enc I'm getting ± 270 Mbits/sec 3) With IPSEC and aes-128-gcm or aes-256-gcm enc I'm getting ± 600 Mbits/sec All tests were done on -stable which is 5.6 GENERIC.MP#0 amd64. I did traffic generation on same boxes I have IPSEC peers, this resulted to high CPU usage on CPU0 on both boxes (± 80% on client and ± 55% on server), so this test is not 100% accurate from maximum possible performance of view. Did anybody have significantly better results? Any luck to improve ipsec performance today? Power of Proof: Screenshot with my test results http://snag.gy/EmrTw.jpg Screenshot top during test: http://snag.gy/p0HJT.jpg cat ipsec.conf ike esp from 192.168.7.226 to 192.168.8.114 \ main auth hmac-sha1 enc aes-256 group modp1024 \ quick enc aes-256-gcm group modp1024 \ psk "12345678" -- Evgeniy Sudyr On Mon, Jul 22, 2013 at 11:42 AM, Evgeniy Sudyr <[email protected]> wrote: > Thank you alot! I will try to repeat testing with -gcm today. > > > On Mon, Jul 22, 2013 at 10:16 AM, BARDOU Pierre <[email protected]> wrote: >> >> Hi, >> >> The testbed has been reused since I ran the tests, but the config was >> something standard like : >> >> ike esp from a.b.c.d/24 to e.f.g.h/24 peer i.j.k.l \ >> main auth hmac-sha1 enc aes-256 \ >> quick auth hmac-sha1 enc aes-256 psk "secret" >> >> If I remember well, for AES-GCM, there is no AUTH parameter, and it is >> phase 2 only. So it was something like : >> ike esp from a.b.c.d/24 to e.f.g.h/24 peer i.j.k.l \ >> main auth hmac-sha1 enc aes-256 \ >> quick enc aes-256-gcm psk "secret" >> >> If I've made syntax errors ipssecctl will tell you quickly btw. >> >> -- >> Cordialement, >> Pierre BARDOU >> >> De : Evgeniy Sudyr [mailto:[email protected]] >> Envoyé : dimanche 21 juillet 2013 13:17 >> À : BARDOU Pierre >> Cc : [email protected] >> Objet : Re: OpenBSD ipsec performance on modern HW >> >> All, >> >> during my tests I seen that CPU on all cores and memory usage was very >> low. >> Just interesting if there are any bottlenecks and how to fix them. >> 1) Does anybody care tcp stack tuning for high speed IPSEC ? >> 2) Can I run IPSEC (that's isakmpd ?) on other cores? >> >> Pierre, >> can you share your ipsec config to check same on my side. >> > > > > -- > -- > With regards, > Eugene Sudyr -- -- With regards, Eugene Sudyr
