9 novembre 2016 16:40 "Christian Weisgerber" <[email protected]> a écrit: > On 2016-11-09, "Comète" <[email protected]> wrote: > >> I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C >> boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a >> maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very >> low for an AES-NI enabled processor. > > Well, it still is a slow processor. For best performance, I'd add > "childsa enc aes-128-gcm" to the iked configuration. The default > cipher is aes-256-cbc with hmac-sha2-256, and the latter has a > noticeable performance impact.
Ok thanks for the idea, I will test with these options. >> And about 30 seconds after the test is >> started, I don't know why, the connection is lost and I have restart IKED >> daemon on the "passive" host. > > Every half gigabyte of transferred data, iked rekeys. There is a > longstanding bug there that causes the ikeds to lose synchronization. > They will eventually resync on their own, but it takes several > minutes. Oh, should I understand that IKEv2 is unusable on production ? By the way, is it possible to reduce this delay when the iked rekeys ? Thanks.
