IPsec High CPU
jeffsmith82 last edited by
I'm seeing CPU spike on one core when I push a lot of traffic across a VPN tunnel to another one of our sites. I know IPSec is single threaded so when it uses all the cpu on one core that's the limit.
I was wondering if there is any good guide on which Ciphers to pick for my particular hardware. The CPU I have is
CPU: Intel(R) Xeon(R) CPU E5-1410 0 @ 2.80GHz (2800.06-MHz K8-class CPU)
Origin="GenuineIntel" Id=0x206d7 Family=0x6 Model=0x2d Stepping=7
Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x1fbee3ff <sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,x2apic,popcnt,tscdlt,aesni,xsave,osxsave,avx>AMD Features=0x2c100800 <syscall,nx,page1gb,rdtscp,lm>AMD Features2=0x1 <lahf>XSAVE Features=0x1 <xsaveopt>VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
TSC: P-state invariant, performance statistics
I can see "AES-NI CPU Crypto: Yes (inactive)" but the ciphers i'm currently using for the tunnels are ESP, 3DES + SHA1. Would I get better performance if I switched to aes ?
https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported this page does say use AES-GCM on both sides of the tunnel.</xsaveopt></lahf></syscall,nx,page1gb,rdtscp,lm></sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,x2apic,popcnt,tscdlt,aesni,xsave,osxsave,avx></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>
mgaudette last edited by
Not quite an answer to your question, but I'm watching this thread with curiosity.
First of all, if you want to use AES you should activate it (in pfSense Advanced-Misc-Cryptographic hardware)
My very limited experience with AES-NI (I just installed the proper hardware 2 days ago and am still running tests) is that with AES crypto active and using AES-GCM128 it doesn't actually push a lot more data thorough, but it does let the CPU breath for other stuff.
In other words, before I had AES-NI the router became unresponsive during large transfers, but in the end the transfer went through through sheer CPU-power. Right now, with AES-NI, the transfer is slower (even with a much faster CPU!!!) but the router stays 100% responsive to everything (SNNP, run of the mill routing, etc) - the CPU actually hovers at 3% usage during transfer, as reported by the pfSense dashboard. It used to hit 90%+ on the older non-AES-NI hardware.
I have no idea if this is what to expect (and if so, it's disappointing, I wanted faster transfer). I don't want to hijack your thread but additional hints and tips would be welcomed and would probably help you too.