Netgate SG-1000 microFirewall

Author Topic: IPsec High CPU  (Read 141 times)

0 Members and 1 Guest are viewing this topic.

Offline jeffsmith82

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
IPsec High CPU
« on: January 25, 2018, 04:32:40 am »
I'm seeing CPU spike on one core when I push a lot of traffic across a VPN tunnel to another one of our sites. I know IPSec is single threaded so when it uses all the cpu on one core that's the limit.

I was wondering if there is any good guide on which Ciphers to pick for my particular hardware. The CPU I have is

CPU: Intel(R) Xeon(R) CPU E5-1410 0 @ 2.80GHz (2800.06-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x206d7  Family=0x6  Model=0x2d  Stepping=7
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x1fbee3ff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX>
  AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
  AMD Features2=0x1<LAHF>
  XSAVE Features=0x1<XSAVEOPT>
  VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
  TSC: P-state invariant, performance statistics

I can see "AES-NI CPU Crypto: Yes (inactive)" but the ciphers i'm currently using for the tunnels are ESP, 3DES + SHA1. Would I get better performance if I switched to aes ?

https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported this page does say use AES-GCM on both sides of the tunnel.



Offline Mike G

  • Full Member
  • ***
  • Posts: 130
  • Karma: +0/-0
    • View Profile
Re: IPsec High CPU
« Reply #1 on: January 26, 2018, 10:33:07 am »
Not quite an answer to your question, but I'm watching this thread with curiosity.

First of all, if you want to use AES you should activate it (in pfSense Advanced-Misc-Cryptographic hardware)

My very limited experience with AES-NI (I just installed the proper hardware 2 days ago and am still running tests) is that with AES crypto active and using AES-GCM128 it doesn't actually push a lot more data thorough, but it does let the CPU breath for other stuff.

In other words, before I had AES-NI the router became unresponsive during large transfers, but  in the end the transfer went through through sheer CPU-power. Right now, with AES-NI, the transfer is slower (even with a much faster CPU!!!) but the router stays 100% responsive to everything (SNNP, run of the mill routing, etc) - the CPU actually hovers at 3% usage during transfer, as reported by the pfSense dashboard. It used to hit 90%+ on the older non-AES-NI hardware.


I have no idea if this is what to expect (and if so, it's disappointing, I wanted faster transfer). I don't want to hijack your thread but additional hints and tips would be welcomed and would probably help you too.