Another "What CPU for Gigabit" thread (with details)



  • Currently I have a c2758 on both ends of an IKEv2 IPSec Site-to-Site tunnel. I can get a max of 600-650Mbps over my 1Gbps line using the following settings which in my testing has yielded me the best speeds:

    alt text

    I currently have no IPS/DPI enabled. I'd like to be able to get as close to maxing out my IPSec VPN connection and I'd like to be able to enable Suricata.

    Can anyone who is doing 1Gbps IPSec with Suricata tell me what CPU you are using or recommend me an upgrade?


  • Netgate Administrator

    How are you testing the speed? What is the latency across the tunnel?

    Do you have asynchronous cryptography enabled?

    Steve



  • a c series is not going to cut it. you are going to need core i-3 or higher at at least 3ghz or faster. vpn is not multi-threaded IIRC so you need the fastest single threaded performance you can get.


  • Netgate Administrator

    If you have asynchronous cryptography enabled in the IPSec advanced settings it is able to use the CPU cores far more effectively. I've seen the SG-5100 push close to 1Gbps in local testing using that with it's C3558. However on some systems it kills throughput completely so it's not something you want to enable without careful testing.

    Steve



  • @stephenw10 said in Another "What CPU for Gigabit" thread (with details):

    How are you testing the speed? What is the latency across the tunnel?

    Do you have asynchronous cryptography enabled?

    Steve

    Now that I think of it, it's probably the file transfer protocols I'm using (samba/rsync) that are causing the slowdowns. iperf shows full line speed (940Mbps+). Latency is 4ms across the tunnel. I am using async crypto.


  • Netgate Administrator

    Ah, well hard to argue with that! 😉

    Steve


Log in to reply