Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Throughput Limited ~ 100Mbps

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maglaubig
      last edited by

      I was having some issues with setting up GRE over IPSec using PFSense and an HP MSR 20-10 router.  The tunnel would come up, pass some traffic and then just stop passing traffic.  Thinking it might have been a problem with the HP router, I attempted to get GRE over IPSec between 2 PFSense virtual machines (2 NICs and 1vCPU).  After a week and much hair pulling, I found that IPSec offloading was enabled on the NICs presented to the PFSense virtual machines.  Disabling IPSec offload fixed the problem.  I'll go back to the drawing board with the HP MSR router now and see if I can get it working.

      In searching the forums on the GRE over IPSec issue, I came across several posts regarding ipsec speed, and since my setup for GRE over IPSec was all at gigabit speed, I expected to get something over 100Mbps over VPN.  Then I came across this older post that didn't have any replies:  https://forum.pfsense.org/index.php?topic=83626.0

      Although I don't currently have the means to attempt multiple streams as the post above references.  I tried some file copies, and found with IPSec up 10MB/s was about the limit, so approaching the limit of what I would expect with 100Mbps, which was in line with the post I referenced above.  When I took IPSec off and just left GRE, the traffic more than doubled to 20-25MBps.  The intent was for GRE over IPsec over the Internet, MSS sizes were limited to 1360, MTU left at the default.  Phase 1 is SHA1/AES-128/Group2/28800 seconds.  Phase 2 is SHA1/AES-256/PFS Disabled/3600 seconds.

      I have a separate PFSense virtual machine acting as a router only (2 NICs and 2vCPU) on the same hardware and I'm seeing non encrypted throughput where I would expect ~ 300-600Mbps (MTU is 1500, no MSS clamping).  That router VM has 2 vCPU in it.  The lab environment I setup for GRE over IPSec only has 1 vCPU, so I increased vCPU to 2 and tried again.

      After vCPU increases, GRE traffic throughput doubled to over 40-50MBps, IPSec saw a minor improvement of about 1-2MBps.

      These aren't very sophisticated tests, however they do show a relationship.  Is this just a consequence of routing through GRE and fragmenting the packet?  More specifically, the number of packets the setup can reasonably process?

      1 Reply Last reply Reply Quote 0
      • M
        maglaubig
        last edited by

        Bump.  Is this just a limit of the config?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.