Hello, I did some testing with AES-NI enabled CPU. You can find them in the list archives, here : http://old.nabble.com/Re%3A-ipsec-tunnel-speeds-p34080479.html
Upgrading CPU number is useless (if I have well understood how it works) : IPsec only runs on the first core. -- Cordialement, Pierre BARDOU -----Message d'origine----- De : Chris Cappuccio [mailto:ch...@nmedia.net] Envoyé : mardi 16 juillet 2013 00:51 À : Evgeniy Sudyr Cc : misc@openbsd.org; mi...@openbsd.org Objet : Re: OpenBSD ipsec performance on modern HW Evgeniy Sudyr [eject.in...@gmail.com] wrote: > > BOX1 dmesg: > cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.45 MHz > cpu1: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu2: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu3: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu4: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu5: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu6: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu7: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu8: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu9: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz > cpu10: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz > cpu11: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz > cpu12: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu13: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz > cpu14: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz > cpu15: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz > > > BOX2 dmesg: > cpu0: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.98 MHz > cpu1: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz > cpu2: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz > cpu3: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz > cpu4: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz > cpu5: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz > cpu6: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz > cpu7: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz I think to get better performance, you need to add more CPUs and more RAM. 16 CPUs and 32GB of RAM is hardly enough to get more than 270Mbps encryption throuhput. Ok, maybe I'm exaggerating. You won't see difference between a dual core CPU of similar spec with 1GB of RAM and what you have now. Really, OpenBSD needs to use more than one of your 16 cores at a time for encryption if you want higher speed. Some people talked about giving the encryption system its own core to work on so it doesn't compete with the rest of the kernel. That would help you get somewhat higher throughput. But the real solution for getting significant speed boosts on kernel-based IPsec with your type of hardware is much farther off. You can only hope for small improvements until that magical work is completed by the master magicians.