slow pfsense IPSec performance
-
-
@stephenw10 Thank you for your reply.
I just configured OpenVPN, it works, but it is slower than IPSEC...
So, I have a last attempt to do using wireguard, but I read that "WireGuard is available as an experimental add-on package" in pfsense 2.6.0.What do you think about that? Should I give up and buy two new hypervisors with AES-NI enabled in order to use IPSEC and reach the expected performance?
Thanks for your patience,
Mauro -
Hmm, well the first thing I would do it test running an IPSec tunnel between the sites using any other method. So preferably pfSense bare metal at each end. Make sure there isn't something in the route throttling VPN traffic.
This feels more like a virtualization issue though.How slow is the OpenVPN tunnel? How are you testing it? How is it configured?
Steve
-
[ 5] 0.00-10.09 sec 1.01 GBytes 864 Mbits/sec receiver
Plus the TCP/IP overheat on top you get nearly 1 GBit/s.
Getting from the pure "in real life" situation something like
30 % throughput out of this with IPSec is really nice in my eyes. Together with AES-NI you may get some numbers plus
and if QAT is on both ends in game you may get out once more again better numbers for your VPN.What do you think about that? Should I give up and buy two new hypervisors with AES-NI enabled in order to use IPSEC and reach the expected performance?
A small 2nd hand hardware, with Xeon E3-12xxv2/3
will do the job with ease for you. I would not buy fully
new VM host hardware. If money is rarely from eBay it
might be the best point to get hands on.refurbished server for ~165 €
All in one
refurbished server for ~180 €
Plus adding a case, psu and Intel i350 NIC -
@stephenw10 the OpenVPN tunnel bitrate is 120Mbps and I'm using the default configuration mentioned in the link you provided. I also tried to reduced the impact of encryption and authentication mode, but nothing changed.
During the next days I will try to use bare metal pfsense instances. No limitation or something similar is throttling the VPN traffic in the route.
Thank you very much.
-
@dobby_ thank you for sharing your suggestions. During the next days I will try to use two bare metal pfsense instances with AES-NI enabled. Thanks again for your help
-
@mauro-tridici said in slow pfsense IPSec performance:
@dobby_ thank you for sharing your suggestions. During the next days I will try to use two bare metal pfsense instances with AES-NI enabled. Thanks again for your help
If so, and AES-NI is in the game, I would try out IPSec
together with AES-NI using AES-GCM instead of OpenVPN. -
@dobby_ Sure, I will try to apply your suggestions. Should I activate some other option like "Cryptographic Hardware" in addition to your suggested settings?
-
120Mbps should be easily achievable without any crypto hardware. There's definitely something else going on here.
-
@mauro-tridici said in slow pfsense IPSec performance:
Sure, I will try to apply your suggestions. Should I activate some other option like "Cryptographic Hardware" in addition to your suggested settings?
It all depends on the hardware. If AES_NI is in the game I
pfSense since 2.6 CE or Plus version will benefit from that
but if there is also QAT in the game I would personally upgrade to the pfSense Plus version and try out using
the QAT instead. But both together with IPSec AES-GCM.