On Thu, Sep 27, 2012 at 11:30 PM, Jim Miller <jmil...@sri-inc.com> wrote:
> Hi,
>
> I'm trying to determine if the performance I'm seeing between two
> OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize
> there are quite a few variables to consider and I'm sure I've not
> toggled each one but I could use a sanity check regardless.
>
> Question:
> With the configuration below when I disable ipsec I can route traffic
> between the two hosts (hosts A and B) at about 900mbps. When I add the
> VPN I am getting speeds of approx. 40mbps. The CPU load on the OpenBSD
> boxes spikes to about 80% on one of the cores but the other 3 are
> essentially unaffected. Enabling/Disabling AES-NI in the bios doesn't
> seem to actually do anything as the cpu message in dmesg still shows the
> AES flag.
>
> The test I'm using is this
> Host A:
> # nc -v -l 12345 | /dev/null
>
> Host B:
> # dd if=/dev/zero bs=1000 count=10000 | nc -v <host a> 12345
>
> The reason these performance numbers are concerning to me is that I
> wanted a solution that would allow me to get decent (a.k.a. 100mbps +/-
> 10%) without having to buy expensive cisco/juniper devices.
>
> Am I dreaming or have others had better performance? Also, any recent
> data on AES-NI optimizations would be helpful.
>
> Thanks
> Jim
>
> Hardware Configuration:
> - (2) identical SuperMicro systems with quad core E31220 w/ AES-NI enabled
>
> cpu0: Intel(R) Xeon(R) CPU E31220 @ 3.10GHz ("GenuineIntel" 686-class)
> 3.10 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,LAHF
> cpu1: ..
> cpu2: ...
> cpu3: ...
> - 2GB ram
> - AES-NI enabled in bios
> - (4) Intel PRO/1000 MT (82574L)
>
> Software Configuration:
> VPN A
> /etc/iked.conf
> ikev2 active esp \
> from 172.16.1.0/24 to 172.16.2.0/24 \
> local 10.0.0.1 peer 10.0.0.2 \
> ikesa enc aes-256 auth hmac-sha2-512 group modp4096 \
> childsa enc aes-256-gmac \
> psk "helpmeplease"
>
> VPN B
> (reverse of A config)
>
> Host A -> 172.16.1.2 (behind VPN A)
> Host B- > 172.16.2.2 (behind VPN B)
> VPN A (10.0.0.1) talks to B (10.0.0.2) via a crossover cable.
> No switches/routers/hubs/etc in this test system. All hosts running
> linux with 1000mb phys.
>
Hi,
I have two suggestions:
1) try -current as forwarding performance was improved;
2) try aes-128-gcm for child sa (traffic encryption). aes-256-gmac-gmac
means don't encrypt, just authenticate.
I must say I'm curious about Xeon E3 AES-NI performance myself as
we have tested only core i5, i7 and previous generation xeons, but
the cpu you've picked should be the right choice.
Cheers,
Mike
