Might be worth looking at ciphers/hashes and see if switching to a different type improves things.
Don't automatically assume that hw acceleration is going to help; it reduces cpu use but has high overheads so it can make things worse in some cases. On 2011-12-09, Brandan Rowley <[email protected]> wrote: > Hi Aric, > > Thanks for the reply. That sounds about right, I'm getting about 7Mbit of > IPsec traffic. I have tried turning on/off ipcomp with no real improvement. > For this particular tunnel I'm now needing more throughput. I've been > looking at the net6501 and am considering giving it a try. > > Regards, > Brandan > > -----Original Message----- > From: Aric Warsaw [mailto:[email protected]] > Sent: Friday, December 09, 2011 3:43 PM > To: Brandan Rowley > Cc: [email protected] > Subject: Re: [Soekris] vr0 using OpenBSD stops responding. > > Hi Brandan > > I've experienced just this even with the crypto accelerator card. > That was back on OpenBSD 4.8. I've found that about 8-10Mbit of IPsec > traffic is all you're going to get out of these guys...your mileage may vary. > Taking IPsec full throttle for 30 minutes or longer was causing my 5501 to > fall off the network....lost layer 2 and serial to the box entirely. > > My work around was to QoS the IPsec traffic down. Another option that I > hadn't done personally and assuming you've enabled ipcomp, you can turn it > off to save CPU resources. Again hadn't done it. Most IPsec documentation > for OpenBSD tells you to enable this in /etc/sysctl.conf, so it might break > your flows and SAs. > > This is the setting: net.inet.ipcomp.enable=1 # 0 to disable or just > comment out the line > > Let us know if you try it and notice a difference. Hope that helps. > > -Aric > > > > > > 2011/12/9 Brandan Rowley <[email protected]>: >> Hi, >> >> I am new to the list so be gentle if this has been posted already.? I >> am using two net5501 (with the VPN chip) running OpenBSD 4.9 to setup >> a VPN tunnel.? The tunnel has been up and running for a while.? We've >> recently added Windows 7 PC to the network.? Performing file transfers >> from the Windows 7 PC's across the VPN tunnel causes the internal >> interface of the >> net5501 to stop responding.? A reboot is needed to get the interface >> communicating again.? This repeatable.? Windows XP clients have no issues. >> Is this a fix or workaround for this?? I've tried OpenBSD 5.0 and read >> of similar issues on OpenBSD, but have not found a resolution. >> >> Regards, >> Brandan >> >> >> _______________________________________________ >> Soekris-tech mailing list >> [email protected] >> http://lists.soekris.com/mailman/listinfo/soekris-tech >> _______________________________________________ Soekris-tech mailing list [email protected] http://lists.soekris.com/mailman/listinfo/soekris-tech
