IPSec throughput with pfsense
-
I installed on both sides a webserver with DocRoot in RAM Disk.
Create a 2GB file and with AES256 I got 55MB/s out and 45MB/s in. Switching to AES-GCM I can start downloading the file but the transfer stops after some seconds (MTU?). Uploading is not possible, no successful 3way handshake. -
I have tested AES-GCM with linux and it surely works.
You need to enable AESNI module to get performance proper.Though what you say means some configuration or MTU issue of sort though if you have it working with AES there should be no change in that regard with AES-GCM.
Can you put net.inet.ipsec.debug=0xffffff and see what comes out on dmesg -a after that with AES-GCM traffic going?
-
@ermal:
I have tested AES-GCM with linux and it surely works.
You need to enable AESNI module to get performance proper.I disabled AESNI via WebUI and tested again, same speed with AES256/SHA2, turned on again (dmesg: aesni0: <aes-cbc,aes-xts,aes-gcm>on motherboard), same speed.
@ermal:
Though what you say means some configuration or MTU issue of sort though if you have it working with AES there should be no change in that regard with AES-GCM.
Doublechecked everything, MTU is 1500. I lower the NIC MTU on the clients to 1300, but I can't even Ping hosts with AES-GCM :(
@ermal:
Can you put net.inet.ipsec.debug=0xffffff and see what comes out on dmesg -a after that with AES-GCM traffic going?
There you go:
esp_input: payload of 56 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 56 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 56 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 56 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 56 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 56 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.11.100/c8c2a087On the client behind pfsense I did a ping and on pfsense a tcpdump on WAN:
08:24:13.405650 IP 10.10.11.100 > 10.10.10.100: ESP(spi=0x81bb30b5,seq=0x190), length 128
08:24:13.405808 IP 10.10.10.100 > 10.10.11.100: ESP(spi=0xc8c2a087,seq=0x1d7), length 120As you can see, the ping will be responded, but echo reply does not leave LAN interface
I'll now install pfsense on the other box too.</aes-cbc,aes-xts,aes-gcm>
-
This is with the latest of pfSense snapshots?
The padding should be done by the host on this and i expect linux to not send such frames without multiple of block size!
-
Ok, tests are finished successfully!
I installed pfSense on the other box too. Latest RC on both now.
With AES256 I get in and out 45MB/s, with AES-GCM everything works now and I get 106MB/s in and out.I'll go to libreswan mailing list to check if they have a error in the code.
Thanks for your patience and the fast help!
Will put all the result to www.routerperformance.net
-
That performance is from software test only i guess.
AES-GCM can go up to 90% link speed if you have the CPU power with the AESNI module loaded.This was seen in tests performed internally with pfSense.
-
Sorry for coming back, but now I'm testing compability between pfSense and ASA5515 (9.3.2).
Same situation, with AES-GCM there's no ping going through, switching back to AES256/SHA2 everything works fine.It seems to me theres a workaround or better unterstanding between 2 pfSense boxes :(
-
Can you let me know if you get the same error on dmesg -a when enabling that sysctl as before?
FYII https://redmine.pfsense.org/issues/4248
-
Yes, same error with ASA:
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.10.100/c95c270c
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.10.100/c95c270c
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.10.100/c95c270c
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.10.100/c95c270c
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.10.100/c95c270c
esp_input: payload of 88 octets not a multiple of 16 octets, SA 10.10.10.100/c95c270c -
A fix will go in for 2.2 that will correct the issue.