IPSec Throughput Limited ~ 100Mbps
-
I was having some issues with setting up GRE over IPSec using PFSense and an HP MSR 20-10 router. The tunnel would come up, pass some traffic and then just stop passing traffic. Thinking it might have been a problem with the HP router, I attempted to get GRE over IPSec between 2 PFSense virtual machines (2 NICs and 1vCPU). After a week and much hair pulling, I found that IPSec offloading was enabled on the NICs presented to the PFSense virtual machines. Disabling IPSec offload fixed the problem. I'll go back to the drawing board with the HP MSR router now and see if I can get it working.
In searching the forums on the GRE over IPSec issue, I came across several posts regarding ipsec speed, and since my setup for GRE over IPSec was all at gigabit speed, I expected to get something over 100Mbps over VPN. Then I came across this older post that didn't have any replies: https://forum.pfsense.org/index.php?topic=83626.0
Although I don't currently have the means to attempt multiple streams as the post above references. I tried some file copies, and found with IPSec up 10MB/s was about the limit, so approaching the limit of what I would expect with 100Mbps, which was in line with the post I referenced above. When I took IPSec off and just left GRE, the traffic more than doubled to 20-25MBps. The intent was for GRE over IPsec over the Internet, MSS sizes were limited to 1360, MTU left at the default. Phase 1 is SHA1/AES-128/Group2/28800 seconds. Phase 2 is SHA1/AES-256/PFS Disabled/3600 seconds.
I have a separate PFSense virtual machine acting as a router only (2 NICs and 2vCPU) on the same hardware and I'm seeing non encrypted throughput where I would expect ~ 300-600Mbps (MTU is 1500, no MSS clamping). That router VM has 2 vCPU in it. The lab environment I setup for GRE over IPSec only has 1 vCPU, so I increased vCPU to 2 and tried again.
After vCPU increases, GRE traffic throughput doubled to over 40-50MBps, IPSec saw a minor improvement of about 1-2MBps.
These aren't very sophisticated tests, however they do show a relationship. Is this just a consequence of routing through GRE and fragmenting the packet? More specifically, the number of packets the setup can reasonably process?
-
Bump. Is this just a limit of the config?