Date: Tue, 5 Nov 2019 22:55:10 +0100 From: "Muenz, Michael" <m.muenz@spam-fetish.org> To: freebsd-net@freebsd.org Subject: Re: 10g IPsec ? Message-ID: <9ebdf1d3-03da-6a4c-a9ea-aafee93eccd8@spam-fetish.org> In-Reply-To: <20191105191514.GG8521@funkthat.com> References: <20191104194637.GA71627@home.opsec.eu> <20191105191514.GG8521@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 05.11.2019 um 20:15 schrieb John-Mark Gurney: > Kurt Jaeger wrote this message on Mon, Nov 04, 2019 at 20:46 +0100: >> Has anyone experience with operating a highspeed IPsec connection >> up to 10gigabit/s between 2 FreeBSD hosts ? >> >> Is that speed achievable ? How much tuning is necessary ? > I haven't, but do know some hints. Make sure that you have a machine > w/ AESNI, AND make sure you're using AES-GCM or AES-CTR.. Using > AES-GCM is best as it avoids using a costly auth algorithm, as the > AESNI instructions provide instructionts to make the GCM (auth) part > of AES-GCM faster. > > AES-GCM can run at over 1GB/sec on a single core, so as long as the > traffic can be processed by multiple threads (via multiple queues > for example), it should be doable. > These were my short results via OPNsense on 4 year old XEONs. So its 11.2, mostly untuned and strongswan as IPsec implementation. If you need more detailed specs just drop me a line. https://www.routerperformance.net/comparing-opnsense-vpn-performance/ Best, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9ebdf1d3-03da-6a4c-a9ea-aafee93eccd8>