IPSEC Performance

  • We have 2 HP Servers with 900/450mbps internet connections.

    We are only getting 150-200mpbs for bandwidth out of the ipsec tunnel.

    One server (source) does has the option for hardware crypto.

    Both servers running dual cpu's and 64gb of ram.

    Using AES-256-SHA1-GR2 for tunnel configuration.

    What can I do to max out the tunnel connection?

  • That depends on what the actually limiting factor is.

    Did you check the easy options already?

    • IPSec MSS Clamping
    • NIC Hardware Offloading
    • if AES-NI is actually active in BIOS/(U)EFI and in pfSense
    • if switching to AES-GCM improves throughput (assuming hashing performance is a potentially limiting factor)

  • wan mtu is set to 1500
    mss clamping it set to 1380
    I have offloading turned off
    AES-NI is not active
    I'll try aes-gcm

    Cpu's are at 3-5% so not doing much.

Log in to reply