On 2016-11-09, "Comète" <com...@daknet.org> wrote: > I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C > boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a > maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very > low for an AES-NI enabled processor.
Well, it still is a slow processor. For best performance, I'd add "childsa enc aes-128-gcm" to the iked configuration. The default cipher is aes-256-cbc with hmac-sha2-256, and the latter has a noticeable performance impact. > And about 30 seconds after the test is > started, I don't know why, the connection is lost and I have restart IKED > daemon on the "passive" host. Every half gigabyte of transferred data, iked rekeys. There is a longstanding bug there that causes the ikeds to lose synchronization. They will eventually resync on their own, but it takes several minutes. -- Christian "naddy" Weisgerber na...@mips.inka.de
