Thank you Stuart and Christian. >In short, I'd use "childsa enc aes-128 auth hmac-md5" for maximum > throughput on this hardware. It gives me up to 700KB/s.
> Try chacha20-poly1305 instead of aes-128-ctr, it may help a little. "childsa enc chacha20-poly1305" does the trick. It gives me up to 3MB/s. I think it is throughput I need, but what about security with CHACHA vs AES? Should I buy new routers ASAP and change enc to AES or stay calm with CHACHA? > Do you have any other hardware you can use? If buying new, apu2/apu4 > would be good/easy options for running OpenBSD on, but if you have > anything with enough NICs and AES (or at least PCLMUL) showing in > the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use > suitable ciphers (try "quick enc aes-128-gcm"), it should be > way better than the 5501. No, I don't have any - that's the problem. I'm trying *not* to buy new APUs because it seems to be quite expensive (very small company, only 3 endusers at remote location). I think 3MB/s over VPN is sufficient. If not - I (they) will have no choice. Will APU.2D2 be OK for that purpose or other board, considering price/performance? https://www.pcengines.ch/apu2d2.htm > The best test would be run between LAN machines rather than the routers. > Generating traffic on the router itself means it's constantly switching > between kernel and userland which won't be helping. Still, your test is > good enough to show that things are much slower with IPsec enabled. True. I use LAN machine on the one side in my netcat tests, but I don't have any on the other side, so I have to use router. On Mon, 21 Jan 2019 13:52:41 +0000 (UTC) Stuart Henderson <[email protected]> wrote: > On 2019-01-21, Radek <[email protected]> wrote: > > I changed default crypto to: > > > > ikev2 quick active esp from $local_gw to $remote_gw \ > > from $local_lan to $remote_lan peer $remote_gw \ > > ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \ > > childsa enc aes-128-ctr \ > > psk "pass" > > > > That increased VPN throughput up to 750KB/s but it is still too slow. > > Mayba some sysctl tweaks would also help with this? > > Try chacha20-poly1305 instead of aes-128-ctr, it may help a little. > I don't think any sysctl is likely to help. > > 750KB/s is maybe a bit slower than I'd expect but that 10+ year old > net5501 is *not* a fast machine. You might be able to squeeze a bit more > from it but probably not a lot, it won't be getting anywhere near your > line speed even with larger packets, and will be terribly overloaded > for small packets e.g. voip. > > Do you have any other hardware you can use? If buying new, apu2/apu4 > would be good/easy options for running OpenBSD on, but if you have > anything with enough NICs and AES (or at least PCLMUL) showing in > the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use > suitable ciphers (try "quick enc aes-128-gcm"), it should be > way better than the 5501. > > >> To be more precise: > >> I use net/ifstat for current bw testing. > >> If I push data by netcat over public IPs, it is up to 5MB/s. > >> If I push data by netcat through VPN, it is up to 400KB/s. > >> Endusers in LANs also complain about VPN bw. > > The best test would be run between LAN machines rather than the routers. > Generating traffic on the router itself means it's constantly switching > between kernel and userland which won't be helping. Still, your test is > good enough to show that things are much slower with IPsec enabled. > > >> > is the HEADER compression activated ? > >> I do not know. How can I check it out? > > I don't know what compression that would be. There is ROHCoIPsec (RFC5856) > but OpenBSD doesn't support that. > > There is ipcomp (packet compression) which can be configured in iked, > but the last thing you want to do on this hardware is add more cpu load > by compressing. (it is not configured in the sample you sent). > -- radek
