IPsec performance

  • Hi,

    I have two HP computers, one a DL360G7 (with AES-NI enabled) and one run-of-the-mill HP PC configured as pfSense 2.4.2 routers (also with AES-NI). One has 8GB of RAM, the other has 48GB of RAM.

    Here are dashboard snippets of CPUs.

    Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)
    Intel(R) Xeon(R) CPU E5606 @ 2.13GHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (active)

    I'm connecting those two networks through IPsec over as 100Mbit/s+ connection (tested at 115Mbit/s just now), and I am seeing a throughput of only 30Mbit/s with iperf3.  Both CPU's are hovering in the single digits, and there is basically nothing else going on this link.

    My IPsec is configured with AES-GCM128 SHA512.


    I believe the performance is not what you'd expect with such relatively beefy machines.

    What can  influence/improve IPsec performance? It actually seems to have decrease when I put the server in, as opposed to the old Lanner 7535 I had before (with no AES-NI)

  • …I ran iperf3 in reverse (i5 CPU decrypting instead of encrypting) - making the decrypting CPU the most powerful one. I can now reach 80Mbit/s.

    Still, I don't understand how this doesn't go any fast than my old Lanner (DL3650G7 vs Lanner FW-7535? Come on...). I thought I'd be able to saturate a 100Mbit/s link at least.

  • Sometimes you have good days, and sometimes bad ones.

    This is a bad day; I have been toying around too much around data centers and totally forgot my home internet wasn't quite as symetrically performant (faster download of course)

    I'll show myself out (and lock this thread)

Log in to reply