Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec with data compression?

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    12 Posts 4 Posters 8.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • rcfaR
      rcfa
      last edited by

      @ermal:

      It is not currently supported in FreeBSD hence it does not get activated.

      So the compression has to happen at the kernel level?

      Are there any active efforts on the way in this regards, either on the FreeBSD side, or from the pfSense side, or is that something that may not show up for years because nobody cares about it? (Not being sarcastic, just trying to figure out if it's realistic to wait for this to be supported, or if I better find some other way to speed things up (like risking tinc again, etc.)) How big of a change/addition is required for this to work?

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        There is some kernel level work needed to be performed on this.

        Though you can try aesni CPUs to speed up ipsec with 2.2

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Actually i stand corrected.
          This is supported in FreeBSD and you need to supply the compression to the configuration of the VPN.

          I am checking this now and maybe push it with a toggle to enable it.

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            On tomorrow snapshots you have a setting in IPsec->advanced settings to enable IPcomp on IPsec.

            Test it out and let me know.

            1 Reply Last reply Reply Quote 0
            • rcfaR
              rcfa
              last edited by

              @ermal:

              Though you can try aesni CPUs to speed up ipsec with 2.2

              Unfortunately, my CPUs don't support this…

              1 Reply Last reply Reply Quote 0
              • rcfaR
                rcfa
                last edited by

                @ermal:

                On tomorrow snapshots you have a setting in IPsec->advanced settings to enable IPcomp on IPsec.

                Test it out and let me know.

                So far so good:

                IPSec without IPComp

                0.0-678.6 sec  1048576 KBytes  1545 KBytes/sec
                

                IPSec with IPComp

                0.0-451.5 sec  1048576 KBytes  2322 KBytes/sec
                

                OpenVPN with adaptive compression, no Encryption

                0.0-221.8 sec  997888 KBytes  4500 KBytes/sec
                

                OpenVPN with adaptive compression, AES

                0.0-257.0 sec  969984 KBytes  3774 KBytes/sec
                

                Only question: why is this a generic IPSec setting and not a setting per connection?
                Per the ipsec.conf man page I found on the internet, the compress parameter is connection specific.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  It is connection-specific, we might change that at some point in the future. It negotiates whether to use IPComp though, and will work fine with it enabled even if some of your connections don't support it as strongswan will automatically disable it where it's not supported.

                  1 Reply Last reply Reply Quote 0
                  • rcfaR
                    rcfa
                    last edited by

                    @cmb:

                    It is connection-specific, we might change that at some point in the future. It negotiates whether to use IPComp though, and will work fine with it enabled even if some of your connections don't support it as strongswan will automatically disable it where it's not supported.

                    Cool. I thought it would fit nicely on the phase two page…

                    Anyway, for me it doesn't matter much, in any case I'm happy about the increase in throughput over my line...
                    :) 8)

                    1 Reply Last reply Reply Quote 0
                    • V
                      va176thunderbolt
                      last edited by

                      I believe something in last nights build broke it. I cannot get a tunnel that was working back up unless I disable it.

                      The logs on both side are showing this:
                      ipsec_starter[52396]: /var/etc/ipsec/ipsec.conf:22: syntax error, unexpected STRING [\tcompress]

                      Both side of the tunnel are Pfsense 2.2 boxes.

                      Adam

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        @va176thunderbolt:

                        I believe something in last nights build broke it. I cannot get a tunnel that was working back up unless I disable it.

                        The logs on both side are showing this:
                        ipsec_starter[52396]: /var/etc/ipsec/ipsec.conf:22: syntax error, unexpected STRING [\tcompress]

                        The original commit had a typo that would do that, which was fixed not long after. Upgrade to the latest and that should work.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.