On Thu, Sep 27, 2012 at 05:30:38PM -0400, Jim Miller wrote:

> Hi,
> 
> I'm trying to determine if the performance I'm seeing between two
> OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected).  I recognize
> there are quite a few variables to consider and I'm sure I've not
> toggled each one but I could use a sanity check regardless.
> 
> Question:
> With the configuration below when I disable ipsec I can route traffic
> between the two hosts (hosts A and B) at about 900mbps.  When I add the
> VPN I am getting speeds of approx. 40mbps.  The CPU load on the OpenBSD
> boxes spikes to about 80% on one of the cores but the other 3 are
> essentially unaffected.  Enabling/Disabling AES-NI in the bios doesn't
> seem to actually do anything as the cpu message in dmesg still shows the
> AES flag. 
> 
> The test I'm using is this
> Host A:
> # nc -v -l 12345 | /dev/null
> 
> Host B:
> # dd if=/dev/zero bs=1000 count=10000 | nc -v <host a> 12345
> 
> The reason these performance numbers are concerning to me is that I
> wanted a solution that would allow me to get decent (a.k.a. 100mbps +/-
> 10%) without having to buy expensive cisco/juniper devices.

I would start playing with different modes, to see if that makes a
difference. It could very well be that AES-NI is only used in certain
modes. Start with the iked defaults for a start.

> 
> Am I dreaming or have others had better performance?  Also, any recent
> data on AES-NI optimizations would be helpful.
> 
> Thanks
> Jim
> 
> Hardware Configuration:
> - (2) identical SuperMicro systems with quad core E31220 w/ AES-NI enabled

amd64 or i386? Why strip info from dmesg? It *might* mkae a difference.

        -Otto


> 
> cpu0: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz ("GenuineIntel" 686-class)
> 3.10 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,LAHF
> cpu1: ..
> cpu2: ...
> cpu3: ...
> - 2GB ram
> - AES-NI enabled in bios
> - (4) Intel PRO/1000 MT (82574L)
> 
> Software Configuration:
> VPN A
> /etc/iked.conf
> ikev2 active esp \
>         from 172.16.1.0/24 to 172.16.2.0/24 \
>         local 10.0.0.1 peer 10.0.0.2 \
>         ikesa enc aes-256 auth hmac-sha2-512 group modp4096 \
>         childsa enc aes-256-gmac \
>         psk "helpmeplease"
> 
> VPN B
> (reverse of A config)
> 
> Host A -> 172.16.1.2  (behind VPN A)
> Host B- > 172.16.2.2  (behind VPN B)
> VPN A (10.0.0.1) talks to B (10.0.0.2) via a crossover cable.
> No switches/routers/hubs/etc in this test system.  All hosts running
> linux with 1000mb phys.

Reply via email to