Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
> There is a longstanding bug there that causes the ikeds to lose > synchronization. Is this bug fixed or not in 6.5? On Wed, 9 Nov 2016 15:19:49 + (UTC) Christian Weisgerber wrote: > On 2016-11-09, "Comète" wrote: > > > I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C > > boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get > > a > > maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, > > very > > low for an AES-NI enabled processor. > > Well, it still is a slow processor. For best performance, I'd add > "childsa enc aes-128-gcm" to the iked configuration. The default > cipher is aes-256-cbc with hmac-sha2-256, and the latter has a > noticeable performance impact. > > > And about 30 seconds after the test is > > started, I don't know why, the connection is lost and I have restart IKED > > daemon on the "passive" host. > > Every half gigabyte of transferred data, iked rekeys. There is a > longstanding bug there that causes the ikeds to lose synchronization. > They will eventually resync on their own, but it takes several > minutes. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de > -- Radek
Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
10 novembre 2016 12:50 "Stefan Sperling" a écrit: > Yes, that is worth trying as a workaround if you don't have > clients that require IKEv2. If you control both ends of the > tunnel then there's absolutely no reason not to try IKEv1. > > I have never seen such a problem with isakmpd but I'm not sure if > I've ever even hit half a gigabyte in a single session (I mostly > use it to provide IPsec for mobile data on my phone). > But since isakmpd has been widely deployed for years I very > much doubt it still has such bugs. > > Also note that it is currently impossible to run both isakmpd > and iked on the same OpenBSD host, in case that matters. Ok, indeed I control both ends of the tunnel, then I give it a try. Thank you.
Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
On Thu, Nov 10, 2016 at 10:42:13AM +, Comète wrote: > Now, I can ask the question differently: > > If I don't want the connection to be > reset every half gigabyte, should I better choose isakmpd ? Yes, that is worth trying as a workaround if you don't have clients that require IKEv2. If you control both ends of the tunnel then there's absolutely no reason not to try IKEv1. I have never seen such a problem with isakmpd but I'm not sure if I've ever even hit half a gigabyte in a single session (I mostly use it to provide IPsec for mobile data on my phone). But since isakmpd has been widely deployed for years I very much doubt it still has such bugs. Also note that it is currently impossible to run both isakmpd and iked on the same OpenBSD host, in case that matters.
Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
10 novembre 2016 11:00 "Stefan Sperling" a écrit: > On Thu, Nov 10, 2016 at 09:00:07AM +, Comète wrote: > >> Oh, should I understand that IKEv2 is unusable on production ? > > This question is counter-productive because it demotivates volunteers. My goal wasn't to demotivate anyone. Sorry for that. > > Developers may help you out of kindness, or they may help you indirectly > because the problem affects themselves badly enough to make them care. > But no volunteer will spend their free time helping you just because > you need something for production. > > Did you read the large letters in our licence text? Nobody here has any > obligation to help you with any problem you might have with the software. > > You're using software with a community of people attached to it, not some > product that you bought with features and promises written on the box that > you're now entitled to. I don't want you to loose your free time answering my question. I simply asked an advice, everyone is free to answer or not. And I don't accuse anyone neither criticise the quality of the OS and the software. Now, I can ask the question differently: If I don't want the connection to be reset every half gigabyte, should I better choose isakmpd ? Thanks guys.
Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
On Thu, Nov 10, 2016 at 09:00:07AM +, Comète wrote: > Oh, should I understand that IKEv2 is unusable on production ? This question is counter-productive because it demotivates volunteers. Developers may help you out of kindness, or they may help you indirectly because the problem affects themselves badly enough to make them care. But no volunteer will spend their free time helping you just because you need something for production. Did you read the large letters in our licence text? Nobody here has any obligation to help you with any problem you might have with the software. You're using software with a community of people attached to it, not some product that you bought with features and promises written on the box that you're now entitled to.
Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
9 novembre 2016 16:40 "Stuart Henderson" a écrit: > On 2016-11-09, =?utf-8?B?Q29tw6h0ZQ==?= wrote: > >> Hi, >> >> I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C >> boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a >> maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very >> low for an AES-NI enabled processor. > > Try it with aes-128-gcm. Ok I will try. > >> And about 30 seconds after the test is >> started, I don't know why, the connection is lost and I have restart IKED >> daemon on the "passive" host. > > Anything in logs? Anything on-screen if you run iked -vd? No, nothing strange appears if I run iked -vd. Thanks
Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
9 novembre 2016 16:40 "Christian Weisgerber" a écrit: > On 2016-11-09, "Comète" wrote: > >> I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C >> boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a >> maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very >> low for an AES-NI enabled processor. > > Well, it still is a slow processor. For best performance, I'd add > "childsa enc aes-128-gcm" to the iked configuration. The default > cipher is aes-256-cbc with hmac-sha2-256, and the latter has a > noticeable performance impact. Ok thanks for the idea, I will test with these options. >> And about 30 seconds after the test is >> started, I don't know why, the connection is lost and I have restart IKED >> daemon on the "passive" host. > > Every half gigabyte of transferred data, iked rekeys. There is a > longstanding bug there that causes the ikeds to lose synchronization. > They will eventually resync on their own, but it takes several > minutes. Oh, should I understand that IKEv2 is unusable on production ? By the way, is it possible to reduce this delay when the iked rekeys ? Thanks.
Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
On 2016-11-09, "Comète" wrote: > I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C > boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a > maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very > low for an AES-NI enabled processor. Well, it still is a slow processor. For best performance, I'd add "childsa enc aes-128-gcm" to the iked configuration. The default cipher is aes-256-cbc with hmac-sha2-256, and the latter has a noticeable performance impact. > And about 30 seconds after the test is > started, I don't know why, the connection is lost and I have restart IKED > daemon on the "passive" host. Every half gigabyte of transferred data, iked rekeys. There is a longstanding bug there that causes the ikeds to lose synchronization. They will eventually resync on their own, but it takes several minutes. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
On 2016-11-09, =?utf-8?B?Q29tw6h0ZQ==?= wrote: > Hi, > > I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C > boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a > maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very > low for an AES-NI enabled processor. Try it with aes-128-gcm. > And about 30 seconds after the test is > started, I don't know why, the connection is lost and I have restart IKED > daemon on the "passive" host. Anything in logs? Anything on-screen if you run iked -vd?
low bandwidth results with IPSEC enabled between two PC Engines APU2C2
Hi, I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very low for an AES-NI enabled processor. And about 30 seconds after the test is started, I don't know why, the connection is lost and I have restart IKED daemon on the "passive" host. If I disable the VPN, I get a maximum of 439 Avg Mbps which is not fabulous for a 1 Gbps link but quite better than 66 Mbps. The tests were made with tcpbench: tcpbench a.a.a.a on one host and tcpbench -s on the other one. No optimisation at all in sysctl.conf, only a default install. This is the IKEDv2 configuration file on host 2: ikev2 "HDV" active esp from $local_gw to $remote_gw \ from $LAN_LOCAL to $LAN_HDV_INFRA \ peer $remote_gw srcid $local_gw psk "testpassword" and the IKEDv2 configuration file on host 1: ikev2 "HDV-CEV" passive esp from $local_gw to $remote_gw \ from $LAN_HDV_INFRA to $LAN_CEV \ peer $remote_gw srcid $local_gw psk "testpassword" My question is, is there any optimisation I can set somewhere to get a better result with max bandwidth ? Thanks ! Morgan