Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alix IPsec benchmarks 1.2 1.2.2 1.2.3 glxsb hifn

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 9.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dotdashD
      dotdash
      last edited by

      I've done some testing with a couple of Alix 2c3 boxes with iperf.
      All tests were done using the same setup:
      Pc1–-lan-Alix1-wan-(ipsec)-wan-Alix2-lan---Pc2
      PC's are running base loads of FreeBSD 7.1 beta2, em nics. Alix wans connected via crossover.
      The hifn cards used were Soekris vpn1411's in each box.

      Here is with AES-128
      1.2            14 Mb/s
      1.2(hifn)    37 Mb/s
      1.2.2          14 Mb/s
      1.2.2(glxsb) 13 Mb/s *kldload glxsb.ko on each box after booting
      1.2.2(hifn)  26 Mb/s
      1.2.3          13 Mb/s *pfSense-1.2.3-20090225-0212.img (glxsb is in the kernel)
      1.2.3(hifn)  12 Mb/s

      This is with 3DES
      1.2            8 Mb/s
      1.2(hifn)    39 Mb/s
      1.2.3          8 Mb/s
      1.2.3(hifn)  27 Mb/s

      Granted there could be faults with my testing, but here are some observations:

      1. glxsb is not helping ipsec throughput in my configuration. It may be lowering cpu usage, I didn't check that.
      2. The vpn1411 helps Ipsec throughput significantly.
      3. Having glxsb in the kernel is a bad idea if you have a hifn and want to do AES.
      4. The 7.x releases seem to be slower with hardware crypto.

      These results lead me to believe that keeping glxsb in the 1.2.3 kernel is a bad idea. Perhaps a checkbox that would add it the loader.conf? That way it could be disabled for hifn users.

      For sanity checking here are my IPSec settings:
      agressive negotiation
      identifier my ip address
      rijndael sha1 DH group 2 lifetime 28800 PSK
      Phase 2
      ESP rijndael (AES) SHA1 PFS 2 lifetime 28800

      1 Reply Last reply Reply Quote 0
      • P
        plamaiziere
        last edited by

        @dotdash:

        1.2.2(glxsb) 13 Mb/s *kldload glxsb.ko on each box after booting

        Hi, I've filled a PR about the poor performance of the glxsb(4) driver and IPsec,
        see http://www.freebsd.org/cgi/query-pr.cgi?pr=132622

        With an ipsec tunnel without hmac authentication, the throughput of gxlsb is around 50 Mbits.
        But with sha1 authentication, the throughput is less, because glxsb only accelerates aes-128-cbc encryption.

        1 Reply Last reply Reply Quote 0
        • dotdashD
          dotdash
          last edited by

          Thanks for the follow-up. Your effort on the glxsb driver is appreciated. I believe once the bugs are worked out, it is going to be very helpful to those running Alix and Soekris boxes.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            I just happened to find this now that I'm messing with glxsb. We added the patch in kern/132622 in March, it's in 1.2.3 snapshots. Thanks much for your work on glxsb, Patrick!  Glad to see you on our forum too.

            We're looking at building glxsb as a module right now, so we can test with and without it, and to get it out of the way when you have a much faster Hifn installed.

            I'm seeing 19.4 Mbps through IPsec with AES-128 on an ALIX with glxsb, and 40 Mbps 3DES with a hifn 7955 (Soekris vpn1411) vs. 8.4 Mbps 3DES without hifn. Nice performance boost with the hifn. Not sure what impact glxsb has yet.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.