On Thu, Sep 27, 2012 at 05:30:38PM -0400, Jim Miller wrote: > Hi, > > I'm trying to determine if the performance I'm seeing between two > OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize > there are quite a few variables to consider and I'm sure I've not > toggled each one but I could use a sanity check regardless. > > Question: > With the configuration below when I disable ipsec I can route traffic > between the two hosts (hosts A and B) at about 900mbps. When I add the > VPN I am getting speeds of approx. 40mbps. The CPU load on the OpenBSD > boxes spikes to about 80% on one of the cores but the other 3 are > essentially unaffected. Enabling/Disabling AES-NI in the bios doesn't > seem to actually do anything as the cpu message in dmesg still shows the > AES flag. > > The test I'm using is this > Host A: > # nc -v -l 12345 | /dev/null > > Host B: > # dd if=/dev/zero bs=1000 count=10000 | nc -v <host a> 12345 > > The reason these performance numbers are concerning to me is that I > wanted a solution that would allow me to get decent (a.k.a. 100mbps +/- > 10%) without having to buy expensive cisco/juniper devices.
I would start playing with different modes, to see if that makes a difference. It could very well be that AES-NI is only used in certain modes. Start with the iked defaults for a start. > > Am I dreaming or have others had better performance? Also, any recent > data on AES-NI optimizations would be helpful. > > Thanks > Jim > > Hardware Configuration: > - (2) identical SuperMicro systems with quad core E31220 w/ AES-NI enabled amd64 or i386? Why strip info from dmesg? It *might* mkae a difference. -Otto > > cpu0: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz ("GenuineIntel" 686-class) > 3.10 GHz > cpu0: > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,LAHF > cpu1: .. > cpu2: ... > cpu3: ... > - 2GB ram > - AES-NI enabled in bios > - (4) Intel PRO/1000 MT (82574L) > > Software Configuration: > VPN A > /etc/iked.conf > ikev2 active esp \ > from 172.16.1.0/24 to 172.16.2.0/24 \ > local 10.0.0.1 peer 10.0.0.2 \ > ikesa enc aes-256 auth hmac-sha2-512 group modp4096 \ > childsa enc aes-256-gmac \ > psk "helpmeplease" > > VPN B > (reverse of A config) > > Host A -> 172.16.1.2 (behind VPN A) > Host B- > 172.16.2.2 (behind VPN B) > VPN A (10.0.0.1) talks to B (10.0.0.2) via a crossover cable. > No switches/routers/hubs/etc in this test system. All hosts running > linux with 1000mb phys.