Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec slow even on direct local Gbps link

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 860 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lguy2000
      last edited by

      pfSense to pfSense IPsec performance seems to be very slow, even via a direct local Gbps LAN link: only about 28 MBps when copying a large file from a NAS on the "remote LAN" (all the equipment and cabling really sit on my desk). By comparison, the speed is 112 MBps when copying the same large file from that NAS to a PC on the same LAN.

      The two pfSense routers are:

      1. a Netgate SG-5100 (192.168.1.0/24), hosting LAN1 with the NAS and the PC used to establish the 112 MBps benchmark.
      2. an i3-4130T powered Q87T mobo with 8 GB RAM and a fast SSD. (192.168.2.0/24), hosting LAN2 with the PC that copies to its desktop the file from the NAS on LAN1.

      The "internet" is provided by a Netgate SG-2440 (192.168.3.0/24) whose LAN port is connected to a Netgear Gbps switch. The respective WAN ports on pfSense routers 1 and 2 are connected to that same Netgear switch.

      The IPsec crypto is as follows: AES128-GCM (128 bits), SHA256, 14 (2048 bit)

      Firewall rules are wide open. No other extraneous packages are running (no Snort, Squid, Suricata, etc).

      During the file copy: The cpu of router 1 (SG-5100) is at 31%, the cpu of router 2 (i3-4130T) is at 19%, and the SG-2440 is at 8%.

      What could cause such a disappointing performance? Any insights would be appreciated.

      Larry

      1 Reply Last reply Reply Quote 0
      • L
        lguy2000
        last edited by

        Problem completely solved. With proper crypto settings, ipsec throughput is 900 mbps on gbps LAN.

        R 1 Reply Last reply Reply Quote 0
        • R
          RodSlinger @lguy2000
          last edited by

          @lguy2000 What crypto settings did you end up with. I'm in similar boat and never see more than about 80 mbps.

          1 Reply Last reply Reply Quote 0
          • L
            lguy2000
            last edited by

            Rod,

            Phase 1: AES128-GCM 128 bits SHA1 Group1
            Phase 2: AES128-GCM 128 bits no hash
            Enable Asynchronous Cryptography under IPsec > Advanced

            AES-NI CPU-based acceleration selected under System > Advanced > Miscellaneous

            Hope this helps.

            Let me know how it works out.

            Larry

            R 1 Reply Last reply Reply Quote 1
            • R
              RodSlinger @lguy2000
              last edited by

              @lguy2000 I didn't try those particular settings yet. I'm testing on 1gb WAN to WAN. Both sides on ATT fiber and only getting about 60Mbps tops.

              Phase 1 is AES128-GCM, 128 bit with AES-XCBC hash on DH14
              Phase 2 is AES128-GCM, 128 with no hash, DH14

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.