IPsec High CPU



  • I'm seeing CPU spike on one core when I push a lot of traffic across a VPN tunnel to another one of our sites. I know IPSec is single threaded so when it uses all the cpu on one core that's the limit.

    I was wondering if there is any good guide on which Ciphers to pick for my particular hardware. The CPU I have is

    CPU: Intel(R) Xeon(R) CPU E5-1410 0 @ 2.80GHz (2800.06-MHz K8-class CPU)
      Origin="GenuineIntel"  Id=0x206d7  Family=0x6  Model=0x2d  Stepping=7
      Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x1fbee3ff <sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,x2apic,popcnt,tscdlt,aesni,xsave,osxsave,avx>AMD Features=0x2c100800 <syscall,nx,page1gb,rdtscp,lm>AMD Features2=0x1 <lahf>XSAVE Features=0x1 <xsaveopt>VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
      TSC: P-state invariant, performance statistics

    I can see "AES-NI CPU Crypto: Yes (inactive)" but the ciphers i'm currently using for the tunnels are ESP, 3DES + SHA1. Would I get better performance if I switched to aes ?

    https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported this page does say use AES-GCM on both sides of the tunnel.</xsaveopt></lahf></syscall,nx,page1gb,rdtscp,lm></sse3,pclmulqdq,dtes64,mon,ds_cpl,vmx,smx,est,tm2,ssse3,cx16,xtpr,pdcm,pcid,dca,sse4.1,sse4.2,x2apic,popcnt,tscdlt,aesni,xsave,osxsave,avx></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>



  • Not quite an answer to your question, but I'm watching this thread with curiosity.

    First of all, if you want to use AES you should activate it (in pfSense Advanced-Misc-Cryptographic hardware)

    My very limited experience with AES-NI (I just installed the proper hardware 2 days ago and am still running tests) is that with AES crypto active and using AES-GCM128 it doesn't actually push a lot more data thorough, but it does let the CPU breath for other stuff.

    In other words, before I had AES-NI the router became unresponsive during large transfers, but  in the end the transfer went through through sheer CPU-power. Right now, with AES-NI, the transfer is slower (even with a much faster CPU!!!) but the router stays 100% responsive to everything (SNNP, run of the mill routing, etc) - the CPU actually hovers at 3% usage during transfer, as reported by the pfSense dashboard. It used to hit 90%+ on the older non-AES-NI hardware.

    I have no idea if this is what to expect (and if so, it's disappointing, I wanted faster transfer). I don't want to hijack your thread but additional hints and tips would be welcomed and would probably help you too.