Bandwidth IPSEC / AES-NI / Bad perf

Yazur · Sep 7, 2020, 2:37 PM

Hello,

I'm currently encountering a bandwidth problem in an IPSEC tunnel between 2 pfsense.

The first pfsense is physical at our company headquarters.
The second is virtual on a private cloud OVH "ESX vmware".

From my PC in LAN at our company headquarters, I get 8mo/s download and 3mo/s through the ipsec tunnel.

By doing a speedtest from the LAN of the head office I get 30 mbps download and 60 mbps upload.

And by doing a speedtest from OVH I get 30 mbps download and 30 mbps upload.

The hardware we have supports "AES-NI".

What we have tried:

Change "MTU and MSS".
Changing the IPSEC configuration
Activation of AES-NI in pfsense --> advanced --> Miscellaneous

Do you have any other ideas?

Yazur · Sep 9, 2020, 2:31 PM

up

Yazur · Sep 11, 2020, 9:46 AM

up

Rico · Sep 11, 2020, 9:58 AM

Which Cipher are you using?
I'm not an IPsec guy (using OpenVPN all day long...) BUT I think it is the same with IPsec... you need to use AES-GCM to really have AES-NI kick in.

-Rico

Napsterbater · Sep 17, 2020, 9:43 AM

Try these settings for Phase 1 and 2, i'm pretty sure I based them on an official guide or wiki entry but I can not find it right now, but i'm hitting about 315mpbs (maxing out the link) with the weaker side being just a Intel Celeron N3150 @ 1.60GHz 4 CPUs: 1 package(s) x 4 core(s).

login-to-view
login-to-view

Yazur · Sep 17, 2020, 9:43 AM

@Napsterbater @Rico

Thank you for your answers, could you tell me if you are on virtual or physical hardware?

Because on our side we are on virtualization on one side and physical on the other.

We had also tested in the past to have VIRTUAL hardware on both sides, without having a difference in performance.

Here are our P1 and P2 configurations:

Napsterbater · Sep 19, 2020, 3:13 PM

@Yazur said in Bandwidth IPSEC / AES-NI / Bad perf:

Because on our side we are on virtualization on one side and physical on the other.

Physical, both sides.

Make sure

System -> Advanced -> Miscellaneous:
Cryptographic Hardware: AES-NI CPU-based Acceleration

is set.

And make sure both systems show:

"AES-NI CPU Crypto: Yes (active)"
on the dashboard under System Information / CPU Type

Yazur · Sep 21, 2020, 7:31 AM

I checked and the AES-NI is well activated on both sides.

Are our P1 and P2 configurations good?

Napsterbater · Sep 22, 2020, 3:26 AM

@Yazur said in Bandwidth IPSEC / AES-NI / Bad perf:

Are our P1 and P2 configurations good?

I can only note they do not match mine exactly, but I do not know if they are wrong and if they should be working or not.

I only know that my exact settings works. :-/