IPSec with data compression?

rcfa · Jan 6, 2015, 7:47 PM

I just noticed this "IPComp: none" in the IPSec status phase two "Algo" column.

Is that supposed to mean no data or IP header compression?
If so, is there a way to turn this on?

Particularly data compression would be of interest, seeing the performance gains OpenVPN shows when working with adaptive data compression…

eri-- · Jan 6, 2015, 8:18 PM

It is not currently supported in FreeBSD hence it does not get activated.

rcfa · Jan 6, 2015, 9:59 PM

@ermal:

It is not currently supported in FreeBSD hence it does not get activated.

So the compression has to happen at the kernel level?

Are there any active efforts on the way in this regards, either on the FreeBSD side, or from the pfSense side, or is that something that may not show up for years because nobody cares about it? (Not being sarcastic, just trying to figure out if it's realistic to wait for this to be supported, or if I better find some other way to speed things up (like risking tinc again, etc.)) How big of a change/addition is required for this to work?

eri-- · Jan 7, 2015, 11:17 AM

There is some kernel level work needed to be performed on this.

Though you can try aesni CPUs to speed up ipsec with 2.2

eri-- · Jan 7, 2015, 3:08 PM

Actually i stand corrected.
This is supported in FreeBSD and you need to supply the compression to the configuration of the VPN.

I am checking this now and maybe push it with a toggle to enable it.

eri-- · Jan 7, 2015, 3:34 PM

On tomorrow snapshots you have a setting in IPsec->advanced settings to enable IPcomp on IPsec.

Test it out and let me know.

rcfa · Jan 9, 2015, 3:41 AM

@ermal:

Though you can try aesni CPUs to speed up ipsec with 2.2

Unfortunately, my CPUs don't support this…

rcfa · Jan 9, 2015, 4:19 AM

@ermal:

On tomorrow snapshots you have a setting in IPsec->advanced settings to enable IPcomp on IPsec.

Test it out and let me know.

So far so good:

IPSec without IPComp

0.0-678.6 sec  1048576 KBytes  1545 KBytes/sec

IPSec with IPComp

0.0-451.5 sec  1048576 KBytes  2322 KBytes/sec

OpenVPN with adaptive compression, no Encryption

0.0-221.8 sec  997888 KBytes  4500 KBytes/sec

OpenVPN with adaptive compression, AES

0.0-257.0 sec  969984 KBytes  3774 KBytes/sec

Only question: why is this a generic IPSec setting and not a setting per connection?
Per the ipsec.conf man page I found on the internet, the compress parameter is connection specific.

cmb · Jan 9, 2015, 6:45 AM

It is connection-specific, we might change that at some point in the future. It negotiates whether to use IPComp though, and will work fine with it enabled even if some of your connections don't support it as strongswan will automatically disable it where it's not supported.

rcfa · Jan 9, 2015, 1:37 PM

@cmb:

It is connection-specific, we might change that at some point in the future. It negotiates whether to use IPComp though, and will work fine with it enabled even if some of your connections don't support it as strongswan will automatically disable it where it's not supported.

Cool. I thought it would fit nicely on the phase two page…

Anyway, for me it doesn't matter much, in any case I'm happy about the increase in throughput over my line...
:) 8)

va176thunderbolt · Jan 9, 2015, 3:31 PM

I believe something in last nights build broke it. I cannot get a tunnel that was working back up unless I disable it.

The logs on both side are showing this:
ipsec_starter[52396]: /var/etc/ipsec/ipsec.conf:22: syntax error, unexpected STRING [\tcompress]

Both side of the tunnel are Pfsense 2.2 boxes.

Adam

cmb · Jan 9, 2015, 6:01 PM

@va176thunderbolt:

I believe something in last nights build broke it. I cannot get a tunnel that was working back up unless I disable it.

The logs on both side are showing this:
ipsec_starter[52396]: /var/etc/ipsec/ipsec.conf:22: syntax error, unexpected STRING [\tcompress]

The original commit had a typo that would do that, which was fixed not long after. Upgrade to the latest and that should work.