On 2019-06-10, mabi <[email protected]> wrote: > Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput > which is quite satisfying. The bandwidth throughput over my IPsec tunnel > achieves a max of 80 Mbit/s which I was sort of expecting with the default > encryption settings (auth hmac-sha2-256 enc aes-256).
It helps to understand that the authentication algorithm can require as much or more CPU than the encryption. HMAC-SHA2 is expensive. On hardware that has AES-NI support, like the APU2 family, AES-GCM is generally the fastest encryption/authentication combo. > In order to increase bandwidth throughput over my IPsec tunnel I wanted to > know what you guys think is a good compromise between performance and > security? I was thinking for example of changing the encryption cipher to > aes-128 instead of aes-256 and maybe blowfish? What would you recommend? AES-128 is good enough, although on the APU2 family with AES-NI it seems to be only marginally faster than AES-256. Don't use Blowfish. It's obsolete. And its reputation for speed precedes the introduction of AES. > Anything else I should be looking at? maybe like a hardware crypto > accellerator miniPCI card compatible with the APU4 and OpenBSD? No, that was 15 years ago. -- Christian "naddy" Weisgerber [email protected]
