2.2.4 IPSEC performance
-
Hi guys,
I am running 2.2.4 both at a data centre and our offices. Office has a 100/100 line and DC 1000/1000.
Just recently I have noticed poor performance when transfering files between servers at the office and the DC using SSH (scp command). Because this is a recent problem and I can remember better throughput a couple of weeks ago I, I beleieve the problem might lie elsewhere anyway but wanted to ask this question anyway….
The pfSense boxes at the DC run 2 x Xeon X5560 CPU's, the office runs 2 x Xeon L5410's. All machines have ample memory and CPU the CPU's never seem to break a sweat.
Are these CPU's fast enough to support an IPSEC VPN at 100Mbit/s throughput? Recently I am seeing more like 20Mbit/s.
Would I benefit from changing to CPU's that support AES-NI or do I already have enough power to support an AES 100Mbit/s throughput VPN?
Lastly, I have come across some articles online covering similar performance issues on 2.2.4 with AES IPSEC. Is this a known issue?
Cheers
Tom -
You can get more than 100 Mb through CPUs that fast. One thing to watch out for is making sure you have MSS clamping enabled, if you have packet loss like reaching a bandwidth limit anywhere along the path and drop an ESP fragment, it'll have a pretty significant impact on TCP performance.
There are no known issues.
-
Are these CPU's fast enough to support an IPSEC VPN at 100Mbit/s throughput? Recently I am seeing more like 20Mbit/s.
It is more the question, as I see it right, what is running on or installed on the machine natively! If this if pfSense
this might be a real strong pfSense box, but if this is the Windows machine where the DC residents on, it
might be better to let pfSense handle this VPN directly! So this might be a good question that should be at
first answered by you.Would I benefit from changing to CPU's that support AES-NI or do I already have enough power to support an AES 100Mbit/s throughput VPN?
For sure this IPSec VPN using the AES-GCM algorithm will really impact from this AES-NI CPU register.
Lastly, I have come across some articles online covering similar performance issues on 2.2.4 with AES IPSEC. Is this a known issue?
Since version 2.2.5 this is not really anymore true! Please upgrade to 2.2.6 and all will be fine for this.
What modem you are using?
Or is this a router with VPN pass through or opened ports and port forwarding?
I would suggest to set up a modem such the Draytek Vigor 130 in front of the firewall and behind
this it would more tend on what you have installed on the pfSense and what beside and what services
are running there on top of the VPN, but a SG-8860 in the headquarter and a SG-4860 in the branch
office would be Ok to get the most out of it. -
@cmb:
You can get more than 100 Mb through CPUs that fast. One thing to watch out for is making sure you have MSS clamping enabled, if you have packet loss like reaching a bandwidth limit anywhere along the path and drop an ESP fragment, it'll have a pretty significant impact on TCP performance.
There are no known issues.
Thanks for the info, where should I be enabling MSS Clamping? Also, there are multiple AES options in the phase 1 config. AES and AES128 GCM,192 GCM and 256 GCM. What are the GCM modes as opposed to the normal AES? Should I be using them?
@BlueKobold:
Are these CPU's fast enough to support an IPSEC VPN at 100Mbit/s throughput? Recently I am seeing more like 20Mbit/s.
It is more the question, as I see it right, what is running on or installed on the machine natively! If this if pfSense
this might be a real strong pfSense box, but if this is the Windows machine where the DC residents on, it
might be better to let pfSense handle this VPN directly! So this might be a good question that should be at
first answered by you.Would I benefit from changing to CPU's that support AES-NI or do I already have enough power to support an AES 100Mbit/s throughput VPN?
For sure this IPSec VPN using the AES-GCM algorithm will really impact from this AES-NI CPU register.
Lastly, I have come across some articles online covering similar performance issues on 2.2.4 with AES IPSEC. Is this a known issue?
Since version 2.2.5 this is not really anymore true! Please upgrade to 2.2.6 and all will be fine for this.
What modem you are using?
Or is this a router with VPN pass through or opened ports and port forwarding?
I would suggest to set up a modem such the Draytek Vigor 130 in front of the firewall and behind
this it would more tend on what you have installed on the pfSense and what beside and what services
are running there on top of the VPN, but a SG-8860 in the headquarter and a SG-4860 in the branch
office would be Ok to get the most out of it.Thanks for your post. This IPSEC tunnel is pfSense on both ends. One end has a 100Mbit/100Mbit Ethernet WAN connection straight to the ISP and the other a Ethernet 1000Mbit/1000Mbit straight to the ISP. There is no modem, port forwarding or NAT on the WAN sides. My pfSense WAN interfaces are on publicly routable LAN's.
I have just updated to 2.2.6 as well and am having similar issues. I am currently doing some performance testing with IPERF through the VPN and outside of the VPN for comparisons.
Tom
-
Here is some test data:
NO VPN, UPSTREAM TEST
[SUM] 0.00-60.06 sec 678 MBytes 94.7 Mbits/sec sender
VPN UPSTREAM TEST
[SUM] 0.00-60.34 sec 646 MBytes 89.8 Mbits/sec sender – MSS CLAMP 1300
NO VPN DOWNSTREAM TEST
[SUM] 0.00-60.00 sec 664 MBytes 92.8 Mbits/sec 3740 sender
VPN DOWNSTREAM TEST
[SUM] 0.00-60.02 sec 625 MBytes 87.4 Mbits/sec 3158 sender – MSS CLAMP 1300
As you can see performance is within ~10Mbits of the max rate. This is much better that what I have been seeing however it is the middle of the night and I expect there is far less congestion on the networks this routes over.
However, im still keen to know why I am not maxxing out the connection speed using IPSEC even with my twin quad core xeon boxes?
Tom
-
However, im still keen to know why I am not maxxing out the connection speed using IPSEC even with my twin quad core xeon boxes?
If this CPU has AES-NI and you will be trying out IPSec (AES-GCM) it could be that you will be getting other
numbers or it will be even acting faster.