pfSense English Support > IPsec

ipsec not using AES-NI?

(1/1)

don.key:
Hi,

I am configuring a new pair of firewalls to provide Site to Site gigabit VPN link. Both machines have i7-4500U AES-NI enabled CPUs and run 2.4.2-RELEASE-p1 (amd64)

Crypto is set to AES-NI and is working
openssl speed -evp aes-256-cbc

--- Code: ---type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      79567.75k   281417.23k  1357269.13k  3620354.84k 74564763.65k
--- End code ---

I see following iperf3 results between two devices (not firewalls themselves) on both ends:


--- Code: ---No VPN 930 Mbits/sec
OpenVPN 783 Mbits/sec
IPSec 439 Mbits/sec

--- End code ---

IPSec ESP is set to 'AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ'

Performance of IPSec seems not to change no matter what I do: disable crypto, set to AES-NI or BSD Cryptodev or both (of course with reboot after each change). openssl speed does see the changes but IPSec does not. Any idea why this can be?

Thanks

don.key:
Fixed that...

Changed encryption to: AES-128-GCM / SHA256 / DH 14 and IPSec performance jumped to 877 Mbit/sec.

Navigation

[0] Message Index

Go to full version