On Fri, Sep 28, 2012 at 11:45 AM, Otto Moerbeek <o...@drijf.net> wrote: > On Thu, Sep 27, 2012 at 05:30:38PM -0400, Jim Miller wrote: > >> Hi, >> >> I'm trying to determine if the performance I'm seeing between two >> OpenBSD 5.1 IPSEC VPN endpoints is typical (or expected). I recognize >> there are quite a few variables to consider and I'm sure I've not >> toggled each one but I could use a sanity check regardless. >> >> Question: >> With the configuration below when I disable ipsec I can route traffic >> between the two hosts (hosts A and B) at about 900mbps. When I add the >> VPN I am getting speeds of approx. 40mbps. The CPU load on the OpenBSD >> boxes spikes to about 80% on one of the cores but the other 3 are >> essentially unaffected. Enabling/Disabling AES-NI in the bios doesn't >> seem to actually do anything as the cpu message in dmesg still shows the >> AES flag. >> >> The test I'm using is this >> Host A: >> # nc -v -l 12345 | /dev/null >> >> Host B: >> # dd if=/dev/zero bs=1000 count=10000 | nc -v <host a> 12345 >> >> The reason these performance numbers are concerning to me is that I >> wanted a solution that would allow me to get decent (a.k.a. 100mbps +/- >> 10%) without having to buy expensive cisco/juniper devices. > > I would start playing with different modes, to see if that makes a > difference. It could very well be that AES-NI is only used in certain > modes. Start with the iked defaults for a start. >
aes-ni is used for all aes-related modes (aes-cbc, aes-ctr, aes-gcm and aes-gmac)... on amd64. >> >> Am I dreaming or have others had better performance? Also, any recent >> data on AES-NI optimizations would be helpful. >> >> Thanks >> Jim >> >> Hardware Configuration: >> - (2) identical SuperMicro systems with quad core E31220 w/ AES-NI enabled > > amd64 or i386? Why strip info from dmesg? It *might* mkae a difference. > wow. it definitely makes a difference: aes-ni is not supported on i386. > -Otto
