pfSense English Support > IPsec

ipsec not using AES-NI?



I am configuring a new pair of firewalls to provide Site to Site gigabit VPN link. Both machines have i7-4500U AES-NI enabled CPUs and run 2.4.2-RELEASE-p1 (amd64)

Crypto is set to AES-NI and is working
openssl speed -evp aes-256-cbc

--- Code: ---type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      79567.75k   281417.23k  1357269.13k  3620354.84k 74564763.65k
--- End code ---

I see following iperf3 results between two devices (not firewalls themselves) on both ends:

--- Code: ---No VPN 930 Mbits/sec
OpenVPN 783 Mbits/sec
IPSec 439 Mbits/sec

--- End code ---

IPSec ESP is set to 'AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ'

Performance of IPSec seems not to change no matter what I do: disable crypto, set to AES-NI or BSD Cryptodev or both (of course with reboot after each change). openssl speed does see the changes but IPSec does not. Any idea why this can be?


Fixed that...

Changed encryption to: AES-128-GCM / SHA256 / DH 14 and IPSec performance jumped to 877 Mbit/sec.


[0] Message Index

Go to full version