Poor IPSEC performance



  • Hey guys, I've got an APU2C4 running 2.3.2_1 over a 75/75 connection with an IPSEC tunnel to a Mikrotik RB750Gr3 on a 100/10 connection.  Both hardware platforms support hardware based encryption.  From the Mikrotik to pfSense I've been consistently exceeding the upload and getting about 11megs.  From pfSense to the Mikrotik I've been getting about 7.  Crptographic hardware has been set for AES-NI based CPU Acceleration under Advanced, Miscellaneous in pfSense from the start.  Changing the MSS on both platforms to 1350 got me from 7 megs to 14.  Enabling all the hardware offload options in pfSense made no difference.
    Both sides are using AES-CBC 128 with SHA1 for both phases with a DH group of 1024 and PFS of 1024.
    Both internet connections are exceeding their specs when the speed is tested.
    Using an OpenVPN connection from the same pfSense box to an older non-hardware accelerated Mikrotik yielded 30 megs from pfSense to Mikrotik but the same IPSEC results.
    Any ideas where to go next?


Log in to reply