next »

[dotdash]

I've done some testing with a couple of Alix 2c3 boxes with iperf.
All tests were done using the same setup:
Pc1---lan-Alix1-wan-(ipsec)-wan-Alix2-lan---Pc2
PC's are running base loads of FreeBSD 7.1 beta2, em nics. Alix wans connected via crossover.
The hifn cards used were Soekris vpn1411's in each box.

Here is with AES-128
1.2            14 Mb/s
1.2(hifn)     37 Mb/s
1.2.2          14 Mb/s
1.2.2(glxsb) 13 Mb/s *kldload glxsb.ko on each box after booting
1.2.2(hifn)   26 Mb/s
1.2.3          13 Mb/s *pfSense-1.2.3-20090225-0212.img (glxsb is in the kernel)
1.2.3(hifn)   12 Mb/s

This is with 3DES
1.2             8 Mb/s
1.2(hifn)     39 Mb/s
1.2.3           8 Mb/s
1.2.3(hifn)   27 Mb/s

Granted there could be faults with my testing, but here are some observations:
1) glxsb is not helping ipsec throughput in my configuration. It may be lowering cpu usage, I didn't check that.
2) The vpn1411 helps Ipsec throughput significantly.
3) Having glxsb in the kernel is a bad idea if you have a hifn and want to do AES.
4) The 7.x releases seem to be slower with hardware crypto.

These results lead me to believe that keeping glxsb in the 1.2.3 kernel is a bad idea. Perhaps a checkbox that would add it the loader.conf? That way it could be disabled for hifn users.

For sanity checking here are my IPSec settings:
agressive negotiation
identifier my ip address
rijndael sha1 DH group 2 lifetime 28800 PSK
Phase 2
ESP rijndael (AES) SHA1 PFS 2 lifetime 28800

[plamaiziere]

1.2.2(glxsb) 13 Mb/s *kldload glxsb.ko on each box after booting

Hi, I've filled a PR about the poor performance of the glxsb(4) driver and IPsec,
see http://www.freebsd.org/cgi/query-pr.cgi?pr=132622

With an ipsec tunnel without hmac authentication, the throughput of gxlsb is around 50 Mbits.
But with sha1 authentication, the throughput is less, because glxsb only accelerates aes-128-cbc encryption.

[dotdash]

Thanks for the follow-up. Your effort on the glxsb driver is appreciated. I believe once the bugs are worked out, it is going to be very helpful to those running Alix and Soekris boxes.

[cmb]

I just happened to find this now that I'm messing with glxsb. We added the patch in kern/132622 in March, it's in 1.2.3 snapshots. Thanks much for your work on glxsb, Patrick!  Glad to see you on our forum too.

We're looking at building glxsb as a module right now, so we can test with and without it, and to get it out of the way when you have a much faster Hifn installed.

I'm seeing 19.4 Mbps through IPsec with AES-128 on an ALIX with glxsb, and 40 Mbps 3DES with a hifn 7955 (Soekris vpn1411) vs. 8.4 Mbps 3DES without hifn. Nice performance boost with the hifn. Not sure what impact glxsb has yet.