Slow IPsec throughput
-
I have setup an IPsec connection between two pfsense (2.4.1) machines over the internet.
purdue.computerbb.org (suddenlink 200/20 mbps)
Intel(R) Core(TM) i7-2600S CPU @ 2.80GHz
8 CPUs: 1 package(s) x 4 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active)midland.computerbb.org (charter 60/4 mbps)
Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: No18 hops between sites:
1 1 ms <1 ms <1 ms maggie.computerbb.org [192.168.11.1] 2 * * * Request timed out. 3 10 ms 12 ms 10 ms 173-219-225-156.suddenlink.net [173.219.225.156] 4 21 ms 19 ms 19 ms 173-219-225-86.suddenlink.net [173.219.225.86] 5 * * 25 ms 173-219-152-193.suddenlink.net [173.219.152.193] 6 25 ms 26 ms 25 ms eqix-da1.chartercom.com [206.223.118.135] 7 30 ms 29 ms 28 ms bbr01dllstx-bue-803.dlls.tx.charter.com [96.34.3.246] 8 57 ms 56 ms 52 ms bbr01blvlil-bue-805.blvl.il.charter.com [96.34.0.16] 9 53 ms 53 ms 54 ms bbr01olvemo-bue-3.olve.mo.charter.com [96.34.0.14] 10 57 ms 60 ms 59 ms bbr02chcgil-bue-2.chcg.il.charter.com [96.34.0.12] 11 55 ms 59 ms 61 ms bbr01chcgil-bue-800.chcg.il.charter.com [96.34.0.66] 12 65 ms 63 ms 70 ms bbr01ftwotx-tge-0-3-0-2.ftwo.tx.charter.com [96.34.0.138] 13 70 ms 72 ms 71 ms crr02aldlmi-bue-808.aldl.mi.charter.com [96.34.2.11] 14 62 ms 63 ms 65 ms crr01aldlmi-bue-21.aldl.mi.charter.com [96.34.32.34] 15 65 ms 66 ms 66 ms crr01sgnwmi-bue-5.sgnw.mi.charter.com [96.34.34.243] 16 68 ms 68 ms 69 ms dtr01bycymi-bue-428.bycy.mi.charter.com [96.34.35.7] 17 * * * Request timed out. 18 80 ms 76 ms 75 ms 71-10-147-40.dhcp.sgnw.mi.charter.com [71.10.147.40]When I upload from purdue to midland via sftp outside the IPsec tunnel, I get very close to my 20 mbps upload speed.
Uploading inside the IPsec tunnel, I'm lucky to get 10 mbps.MSS clamping is set to 1400 on both ends, but I think this feature is non-functional
C:\Users\ccb05>ping midland.computerbb.org -f -l 1472 Pinging borchert-midland.dyndns.org [71.10.147.40] with 1472 bytes of data: Reply from 71.10.147.40: bytes=1472 time=78ms TTL=52 Reply from 71.10.147.40: bytes=1472 time=79ms TTL=52 Reply from 71.10.147.40: bytes=1472 time=77ms TTL=52 Reply from 71.10.147.40: bytes=1472 time=79ms TTL=52 Ping statistics for 71.10.147.40: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 77ms, Maximum = 79ms, Average = 78msC:\Users\ccb05>ping server -f -l 1472 Pinging server [192.168.13.23] with 1472 bytes of data: Reply from 192.168.13.23: bytes=1472 time=79ms TTL=62 Reply from 192.168.13.23: bytes=1472 time=78ms TTL=62 Reply from 192.168.13.23: bytes=1472 time=83ms TTL=62 Reply from 192.168.13.23: bytes=1472 time=81ms TTL=62 Ping statistics for 192.168.13.23: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 78ms, Maximum = 83ms, Average = 80msRegardless, I don't think the packets are being fragmented.
CPU utilization on both machines is nearly 0 during the transfers.
Any idea why IPsec is so slow?
