On 2019-01-21, Radek <alee...@gmail.com> wrote: > I changed default crypto to: > > ikev2 quick active esp from $local_gw to $remote_gw \ > from $local_lan to $remote_lan peer $remote_gw \ > ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \ > childsa enc aes-128-ctr \ > psk "pass" > > That increased VPN throughput up to 750KB/s but it is still too slow. > Mayba some sysctl tweaks would also help with this?
Try chacha20-poly1305 instead of aes-128-ctr, it may help a little. I don't think any sysctl is likely to help. 750KB/s is maybe a bit slower than I'd expect but that 10+ year old net5501 is *not* a fast machine. You might be able to squeeze a bit more from it but probably not a lot, it won't be getting anywhere near your line speed even with larger packets, and will be terribly overloaded for small packets e.g. voip. Do you have any other hardware you can use? If buying new, apu2/apu4 would be good/easy options for running OpenBSD on, but if you have anything with enough NICs and AES (or at least PCLMUL) showing in the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use suitable ciphers (try "quick enc aes-128-gcm"), it should be way better than the 5501. >> To be more precise: >> I use net/ifstat for current bw testing. >> If I push data by netcat over public IPs, it is up to 5MB/s. >> If I push data by netcat through VPN, it is up to 400KB/s. >> Endusers in LANs also complain about VPN bw. The best test would be run between LAN machines rather than the routers. Generating traffic on the router itself means it's constantly switching between kernel and userland which won't be helping. Still, your test is good enough to show that things are much slower with IPsec enabled. >> > is the HEADER compression activated ? >> I do not know. How can I check it out? I don't know what compression that would be. There is ROHCoIPsec (RFC5856) but OpenBSD doesn't support that. There is ipcomp (packet compression) which can be configured in iked, but the last thing you want to do on this hardware is add more cpu load by compressing. (it is not configured in the sample you sent).
