On Thu, Sep 27, 2012 at 11:30 PM, Jim Miller <jmil...@sri-inc.com> wrote: > Hi, > > I'm trying to determine if the performance I'm seeing between two > OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize > there are quite a few variables to consider and I'm sure I've not > toggled each one but I could use a sanity check regardless. > > Question: > With the configuration below when I disable ipsec I can route traffic > between the two hosts (hosts A and B) at about 900mbps. When I add the > VPN I am getting speeds of approx. 40mbps. The CPU load on the OpenBSD > boxes spikes to about 80% on one of the cores but the other 3 are > essentially unaffected. Enabling/Disabling AES-NI in the bios doesn't > seem to actually do anything as the cpu message in dmesg still shows the > AES flag. > > The test I'm using is this > Host A: > # nc -v -l 12345 | /dev/null > > Host B: > # dd if=/dev/zero bs=1000 count=10000 | nc -v <host a> 12345 > > The reason these performance numbers are concerning to me is that I > wanted a solution that would allow me to get decent (a.k.a. 100mbps +/- > 10%) without having to buy expensive cisco/juniper devices. > > Am I dreaming or have others had better performance? Also, any recent > data on AES-NI optimizations would be helpful. > > Thanks > Jim > > Hardware Configuration: > - (2) identical SuperMicro systems with quad core E31220 w/ AES-NI enabled > > cpu0: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz ("GenuineIntel" 686-class) > 3.10 GHz > cpu0: > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,LAHF > cpu1: .. > cpu2: ... > cpu3: ... > - 2GB ram > - AES-NI enabled in bios > - (4) Intel PRO/1000 MT (82574L) > > Software Configuration: > VPN A > /etc/iked.conf > ikev2 active esp \ > from 172.16.1.0/24 to 172.16.2.0/24 \ > local 10.0.0.1 peer 10.0.0.2 \ > ikesa enc aes-256 auth hmac-sha2-512 group modp4096 \ > childsa enc aes-256-gmac \ > psk "helpmeplease" > > VPN B > (reverse of A config) > > Host A -> 172.16.1.2 (behind VPN A) > Host B- > 172.16.2.2 (behind VPN B) > VPN A (10.0.0.1) talks to B (10.0.0.2) via a crossover cable. > No switches/routers/hubs/etc in this test system. All hosts running > linux with 1000mb phys. >
Hi, I have two suggestions: 1) try -current as forwarding performance was improved; 2) try aes-128-gcm for child sa (traffic encryption). aes-256-gmac-gmac means don't encrypt, just authenticate. I must say I'm curious about Xeon E3 AES-NI performance myself as we have tested only core i5, i7 and previous generation xeons, but the cpu you've picked should be the right choice. Cheers, Mike