IPSEC Performance
-
We have 2 HP Servers with 900/450mbps internet connections.
We are only getting 150-200mpbs for bandwidth out of the ipsec tunnel.
One server (source) does has the option for hardware crypto.
Both servers running dual cpu's and 64gb of ram.
Using AES-256-SHA1-GR2 for tunnel configuration.
What can I do to max out the tunnel connection?
-
That depends on what the actually limiting factor is.
Did you check the easy options already?
- WAN NIC MTU
- IPSec MSS Clamping
- NIC Hardware Offloading
- if AES-NI is actually active in BIOS/(U)EFI and in pfSense
- if switching to AES-GCM improves throughput (assuming hashing performance is a potentially limiting factor)
-
wan mtu is set to 1500
mss clamping it set to 1380
I have offloading turned off
AES-NI is not active
I'll try aes-gcmCpu's are at 3-5% so not doing much.