What's wrong with my ipsec?
-
With Fortigate 60E to pfsense(in my office), ipsec can work in my full wan speed.
I have 1Gbps line, so I got a N5105box and created a pfsense gateway to replace the Fortigate, but the ipsec speed only has full speed at begining when I copy files by SMB, can anybody help me? I tried ESXi6.7, ESXi7, ESXi8, same result.
-
I used an 200m adsl line for the above test, and used the same Pfense box the office side. I don't have more firewall rules than the ipsec one.
-
@ciozhe I notice that your pfsense instance has neither aes-ni or QAT which means you are not getting any hardware acceleration. Perhaps the fortigate did benefit from one of those features?
-
@ciozhe
You have to enable AES-NI hardware accelaration in System > Advanced > Miscellaneous > Cryptographic Hardware and reboot the box. -
My hardware support aes-in, I enabled it and restarted the Pfsense, but seems no change.
-
@ciozhe
What encryption algorithm are you using in the IPSec?The AES-GCM should provide best performance with AES-NI set.
-
also tried other encryption protocols, but no luck. -
I have to wonder if it has something to do with the fact that you are running a virtualized instance of pfsense versus bare metal. Seems like there is always some sort of tweak required when running virtually. I have no experience with that however as I prefer to run my routers on bare metal.
-
@gabacho4, thanks a lot. using nic passthrough in ESXi and aes-in enabled in PFsense, I get much better speed now:
-
BTW, this is not for me:
I get best ipsec performance by these: