You're not running AES-GCM, you're running AES-CBC + HMAC-SHA256 > E: rijndael-cbc 221239cf e0ddedc5 88f1f711 5e744723 > A: hmac-sha2-256 bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 529a40a1 bf5ea2c9 0e3f5f27
Try running AES-GCM. Example (from the work that gnn@ and I did back in 2014/15): https://github.com/freebsd-net/netperf/blob/master/IPSEC/Configs/dut-aes-gcm.conf https://github.com/freebsd-net/netperf/blob/master/IPSEC/Configs/source-aes-gcm.conf Results on larger hardware, if you care: https://github.com/freebsd-net/netperf/blob/master/Documentation/Presentations/BSDCan2015.pdf Once you have that running, see if setting net.inet.ipsec.async_crypto=1 helps Also, if PMTU doesn't work on your path, clamp TCP MSS to 1400 on both sides. # ipfw add # tcp-setmss 1400 <blah blah blah> or scrub on <interface> max-mss 1400 in your pf.conf That all said, I only get around 400Mbps using AES-GCM over a real 1gbps path between my house and work running a C2558 at home. I'm running pfSense (because... you know...), but you should be able to achieve similar results with a stock FreeBSD 11.2 system. If you want to go faster, we've seen 856 mbps over a pair of C3558s, using just AES-GCM w/AES-NI. This is with 'pf' on, and KPI mitigations running, btw. If anything, i'd expect routed ipsec to be a bit faster. Jim On Thu, Aug 9, 2018 at 3:55 PM, Andrey V. Elsukov <bu7c...@yandex.ru> wrote: > On 09.08.2018 23:11, David P. Discher wrote: > > The documentation for using IPSec (especially if_ipsec) is really thin > > for freebsd, so I pieced some of this together from various posts and > > mailing lists threads. > > > > Is there no need for racoon ? How in this example is the IKE/ISAKMP > > setup done ? Is setkey doing this ? > > > This is 11.2-stable, shortly after release … I don’t have this sysctl. > > This is manually configured tunnel between two FreeBSD 12.0-CURRENT > hosts. I can suggest to try patch and config from this post: > > https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html > > >> Need to see your setkey.conf, or at least the output of setkey -D.. > > > > > > setkey.conf is : > > > > flush; > > spdflush; > > > > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec > > esp/tunnel/10.245.0.201-10.245.0.202/unique:12; > > spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in ipsec > > esp/tunnel/10.245.0.202-10.245.0.201/unique:12; > > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec > > esp/tunnel/10.245.0.201-10.245.0.203/unique:4; > > spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in ipsec > > esp/tunnel/10.245.0.203-10.245.0.201/unique:4; > > You don't need to create security policies for if_ipsec interfaces. They > are created by interface automatically. > > -- > WBR, Andrey V. Elsukov > > _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
