Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec High CPU

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffsmith82
      last edited by

      I'm seeing CPU spike on one core when I push a lot of traffic across a VPN tunnel to another one of our sites. I know IPSec is single threaded so when it uses all the cpu on one core that's the limit.

      I was wondering if there is any good guide on which Ciphers to pick for my particular hardware. The CPU I have is

      CPU: Intel(R) Xeon(R) CPU E5-1410 0 @ 2.80GHz (2800.06-MHz K8-class CPU)
        Origin="GenuineIntel"  Id=0x206d7  Family=0x6  Model=0x2d  Stepping=7
        Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x1fbee3ff <sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,x2apic,popcnt,tscdlt,aesni,xsave,osxsave,avx>AMD Features=0x2c100800 <syscall,nx,page1gb,rdtscp,lm>AMD Features2=0x1 <lahf>XSAVE Features=0x1 <xsaveopt>VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
        TSC: P-state invariant, performance statistics

      I can see "AES-NI CPU Crypto: Yes (inactive)" but the ciphers i'm currently using for the tunnels are ESP, 3DES + SHA1. Would I get better performance if I switched to aes ?

      https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported this page does say use AES-GCM on both sides of the tunnel.</xsaveopt></lahf></syscall,nx,page1gb,rdtscp,lm></sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,x2apic,popcnt,tscdlt,aesni,xsave,osxsave,avx></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>

      1 Reply Last reply Reply Quote 0
      • M
        mgaudette
        last edited by

        Not quite an answer to your question, but I'm watching this thread with curiosity.

        First of all, if you want to use AES you should activate it (in pfSense Advanced-Misc-Cryptographic hardware)

        My very limited experience with AES-NI (I just installed the proper hardware 2 days ago and am still running tests) is that with AES crypto active and using AES-GCM128 it doesn't actually push a lot more data thorough, but it does let the CPU breath for other stuff.

        In other words, before I had AES-NI the router became unresponsive during large transfers, but  in the end the transfer went through through sheer CPU-power. Right now, with AES-NI, the transfer is slower (even with a much faster CPU!!!) but the router stays 100% responsive to everything (SNNP, run of the mill routing, etc) - the CPU actually hovers at 3% usage during transfer, as reported by the pfSense dashboard. It used to hit 90%+ on the older non-AES-NI hardware.

        I have no idea if this is what to expect (and if so, it's disappointing, I wanted faster transfer). I don't want to hijack your thread but additional hints and tips would be welcomed and would probably help you too.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.