IPsec slow even on direct local Gbps link



  • pfSense to pfSense IPsec performance seems to be very slow, even via a direct local Gbps LAN link: only about 28 MBps when copying a large file from a NAS on the "remote LAN" (all the equipment and cabling really sit on my desk). By comparison, the speed is 112 MBps when copying the same large file from that NAS to a PC on the same LAN.

    The two pfSense routers are:

    1. a Netgate SG-5100 (192.168.1.0/24), hosting LAN1 with the NAS and the PC used to establish the 112 MBps benchmark.
    2. an i3-4130T powered Q87T mobo with 8 GB RAM and a fast SSD. (192.168.2.0/24), hosting LAN2 with the PC that copies to its desktop the file from the NAS on LAN1.

    The "internet" is provided by a Netgate SG-2440 (192.168.3.0/24) whose LAN port is connected to a Netgear Gbps switch. The respective WAN ports on pfSense routers 1 and 2 are connected to that same Netgear switch.

    The IPsec crypto is as follows: AES128-GCM (128 bits), SHA256, 14 (2048 bit)

    Firewall rules are wide open. No other extraneous packages are running (no Snort, Squid, Suricata, etc).

    During the file copy: The cpu of router 1 (SG-5100) is at 31%, the cpu of router 2 (i3-4130T) is at 19%, and the SG-2440 is at 8%.

    What could cause such a disappointing performance? Any insights would be appreciated.

    Larry



  • Problem completely solved. With proper crypto settings, ipsec throughput is 900 mbps on gbps LAN.



  • @lguy2000 What crypto settings did you end up with. I'm in similar boat and never see more than about 80 mbps.



  • Rod,

    Phase 1: AES128-GCM 128 bits SHA1 Group1
    Phase 2: AES128-GCM 128 bits no hash
    Enable Asynchronous Cryptography under IPsec > Advanced

    AES-NI CPU-based acceleration selected under System > Advanced > Miscellaneous

    Hope this helps.

    Let me know how it works out.

    Larry



  • @lguy2000 I didn't try those particular settings yet. I'm testing on 1gb WAN to WAN. Both sides on ATT fiber and only getting about 60Mbps tops.

    Phase 1 is AES128-GCM, 128 bit with AES-XCBC hash on DH14
    Phase 2 is AES128-GCM, 128 with no hash, DH14


Log in to reply