Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Radek]

> There is a longstanding bug there that causes the ikeds to lose 
> synchronization.
Is this bug fixed or not in 6.5?


On Wed, 9 Nov 2016 15:19:49 + (UTC)
Christian Weisgerber  wrote:

> On 2016-11-09, "Comète"  wrote:
> 
> > I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C
> > boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get 
> > a
> > maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, 
> > very
> > low for an AES-NI enabled processor.
> 
> Well, it still is a slow processor.  For best performance, I'd add
> "childsa enc aes-128-gcm" to the iked configuration.  The default
> cipher is aes-256-cbc with hmac-sha2-256, and the latter has a
> noticeable performance impact.
> 
> > And about 30 seconds after the test is
> > started, I don't know why, the connection is lost and I have restart IKED
> > daemon on the "passive" host.
> 
> Every half gigabyte of transferred data, iked rekeys.  There is a
> longstanding bug there that causes the ikeds to lose synchronization.
> They will eventually resync on their own, but it takes several
> minutes.
> 
> -- 
> Christian "naddy" Weisgerber  na...@mips.inka.de
> 


-- 
Radek

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Comète]

10 novembre 2016 12:50 "Stefan Sperling"  a écrit:
 
> Yes,
that is worth trying as a workaround if you don't have
> clients that require
IKEv2. If you control both ends of the
> tunnel then there's absolutely no
reason not to try IKEv1.
> 
> I have never seen such a problem with isakmpd
but I'm not sure if
> I've ever even hit half a gigabyte in a single session
(I mostly
> use it to provide IPsec for mobile data on my phone).
> But since
isakmpd has been widely deployed for years I very
> much doubt it still has
such bugs.
> 
> Also note that it is currently impossible to run both isakmpd
> and iked on the same OpenBSD host, in case that matters.


Ok, indeed I
control both ends of the tunnel, then I give it a try.

Thank you.

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Stefan Sperling]

On Thu, Nov 10, 2016 at 10:42:13AM +, Comète wrote:
> Now, I can ask the question differently:
> 
> If I don't want the connection to be
> reset every half gigabyte, should I better choose isakmpd ?

Yes, that is worth trying as a workaround if you don't have
clients that require IKEv2. If you control both ends of the
tunnel then there's absolutely no reason not to try IKEv1.

I have never seen such a problem with isakmpd but I'm not sure if
I've ever even hit half a gigabyte in a single session (I mostly
use it to provide IPsec for mobile data on my phone).
But since isakmpd has been widely deployed for years I very
much doubt it still has such bugs.

Also note that it is currently impossible to run both isakmpd
and iked on the same OpenBSD host, in case that matters.

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Comète]

10 novembre 2016 11:00 "Stefan Sperling"  a écrit:

> On Thu,
Nov 10, 2016 at 09:00:07AM +, Comète wrote:
> 
>> Oh, should I understand
that IKEv2 is unusable on production ?
> 
> This question is
counter-productive because it demotivates volunteers.

My goal wasn't to
demotivate anyone. Sorry for that.

> 
> Developers may help you out of
kindness, or they may help you indirectly
> because the problem affects
themselves badly enough to make them care.
> But no volunteer will spend their
free time helping you just because
> you need something for production.
> 
>
Did you read the large letters in our licence text? Nobody here has any
>
obligation to help you with any problem you might have with the software.
> 
>
You're using software with a community of people attached to it, not some
>
product that you bought with features and promises written on the box that
>
you're now entitled to.

I don't want you to loose your free time answering my
question. I simply asked an advice, everyone is free to answer or not. And I
don't accuse anyone neither criticise the quality of the OS and the software.
Now, I can ask the question differently:

If I don't want the connection to be
reset every half gigabyte, should I better choose isakmpd ?

Thanks guys.

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Stefan Sperling]

On Thu, Nov 10, 2016 at 09:00:07AM +, Comète wrote:
> Oh, should I understand that IKEv2 is unusable on production ?

This question is counter-productive because it demotivates volunteers.

Developers may help you out of kindness, or they may help you indirectly
because the problem affects themselves badly enough to make them care.
But no volunteer will spend their free time helping you just because
you need something for production.

Did you read the large letters in our licence text? Nobody here has any
obligation to help you with any problem you might have with the software.

You're using software with a community of people attached to it, not some
product that you bought with features and promises written on the box that
you're now entitled to.

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Comète]

9 novembre 2016 16:40 "Stuart Henderson"  a écrit:
> On
2016-11-09, =?utf-8?B?Q29tw6h0ZQ==?=  wrote:
> 
>> Hi,
>>
>> I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C
>>
boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a
>> maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think,
very
>> low for an AES-NI enabled processor.
> 
> Try it with aes-128-gcm.

Ok
I will try.

> 
>> And about 30 seconds after the test is
>> started, I don't
know why, the connection is lost and I have restart IKED
>> daemon on the
"passive" host.
> 
> Anything in logs? Anything on-screen if you run iked -vd?
No, nothing strange appears if I run iked -vd.

Thanks

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Comète]

9 novembre 2016 16:40 "Christian Weisgerber"  a écrit:
>
On 2016-11-09, "Comète"  wrote:
> 
>> I've made some
bandwidth tests (on 6.0 stable - amd64) between two APU2C
>> boxes connected
with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a
>> maximum
bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very
>> low
for an AES-NI enabled processor.
> 
> Well, it still is a slow processor. For
best performance, I'd add
> "childsa enc aes-128-gcm" to the iked
configuration. The default
> cipher is aes-256-cbc with hmac-sha2-256, and the
latter has a
> noticeable performance impact.

Ok thanks for the idea, I will
test with these options.

>> And about 30 seconds after the test is
>>
started, I don't know why, the connection is lost and I have restart IKED
>>
daemon on the "passive" host.
> 
> Every half gigabyte of transferred data,
iked rekeys. There is a
> longstanding bug there that causes the ikeds to lose
synchronization.
> They will eventually resync on their own, but it takes
several
> minutes.

Oh, should I understand that IKEv2 is unusable on
production ? By the way, is it possible to reduce this delay when the iked
rekeys ?

Thanks.

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Christian Weisgerber]

On 2016-11-09, "Comète"  wrote:

> I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C
> boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a
> maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very
> low for an AES-NI enabled processor.

Well, it still is a slow processor.  For best performance, I'd add
"childsa enc aes-128-gcm" to the iked configuration.  The default
cipher is aes-256-cbc with hmac-sha2-256, and the latter has a
noticeable performance impact.

> And about 30 seconds after the test is
> started, I don't know why, the connection is lost and I have restart IKED
> daemon on the "passive" host.

Every half gigabyte of transferred data, iked rekeys.  There is a
longstanding bug there that causes the ikeds to lose synchronization.
They will eventually resync on their own, but it takes several
minutes.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Stuart Henderson]

On 2016-11-09, =?utf-8?B?Q29tw6h0ZQ==?=  wrote:
> Hi,
>
> I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C
> boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a
> maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very
> low for an AES-NI enabled processor.

Try it with aes-128-gcm.

>  And about 30 seconds after the test is
> started, I don't know why, the connection is lost and I have restart IKED
> daemon on the "passive" host.

Anything in logs? Anything on-screen if you run iked -vd?

low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Comète]

Hi,

I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C
boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a
maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very
low for an AES-NI enabled processor. And about 30 seconds after the test is
started, I don't know why, the connection is lost and I have restart IKED
daemon on the "passive" host.
If I disable the VPN, I get a maximum of 439 Avg
Mbps which is not fabulous for a 1 Gbps link but quite better than 66 Mbps.
The tests were made with tcpbench: tcpbench a.a.a.a on one host and tcpbench
-s on the other one.

No optimisation at all in sysctl.conf, only a default
install.

This is the IKEDv2 configuration file on host 2:

ikev2 "HDV" active
esp from $local_gw to $remote_gw \
  from $LAN_LOCAL to $LAN_HDV_INFRA
\
  peer $remote_gw srcid $local_gw psk "testpassword"

and the IKEDv2
configuration file on host 1:

ikev2 "HDV-CEV" passive esp from $local_gw to
$remote_gw \
  from $LAN_HDV_INFRA to $LAN_CEV \
  peer
$remote_gw srcid $local_gw psk "testpassword"

My question is, is there any
optimisation I can set somewhere to get a better result with max bandwidth ?
Thanks !

Morgan