Thank you Stuart and Christian.
>In short, I'd use "childsa enc aes-128 auth hmac-md5" for maximum
> throughput on this hardware.
It gives me up to 700KB/s.
> Try chacha20-poly1305 instead of aes-128-ctr, it may help a little.
"childsa enc chacha20-poly1305" does the trick. It gives me up to 3MB/s
On 2019-01-21, Radek wrote:
> ikev2 quick active esp from $local_gw to $remote_gw \
> from $local_lan to $remote_lan peer $remote_gw \
> ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \
> childsa enc aes-128-ctr \
> psk "pass"
>
> That increased VPN throughput up to 750KB/s but it
On 2019-01-21, Radek wrote:
> I changed default crypto to:
>
> ikev2 quick active esp from $local_gw to $remote_gw \
> from $local_lan to $remote_lan peer $remote_gw \
> ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \
> childsa enc aes-128-ctr \
> psk "pass"
>
> That increased VPN
I changed default crypto to:
ikev2 quick active esp from $local_gw to $remote_gw \
from $local_lan to $remote_lan peer $remote_gw \
ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \
childsa enc aes-128-ctr \
psk "pass"
That increased VPN throughput up to 750KB/s but it is still too
To be more precise:
I use net/ifstat for current bw testing.
If I push data by netcat over public IPs, it is up to 5MB/s.
If I push data by netcat through VPN, it is up to 400KB/s.
Endusers in LANs also complain about VPN bw.
> You should use curl + nginx (with tmpfs) or iperf for bw testing.
I d
On Fri, Jan 18, 2019 at 8:58 AM Radek wrote:
> I have configured Site-to-Site ikev2 VPN between two routers (Soekris
> net5501-70).
> Over the internet my transfer speed between these machines is up to
> 5000KB/s (it is OK).
> Over the VPN it is up to 400KB/s only.
>
> Is there any way to squeeze
I have configured Site-to-Site ikev2 VPN between two routers (Soekris
net5501-70).
Over the internet my transfer speed between these machines is up to 5000KB/s
(it is OK).
Over the VPN it is up to 400KB/s only.
Is there any way to squeeze more performance out from these hardware and speed
up th
On 2012-10-24, Michael Sideris wrote:
> Also, OpenBSD 5.2 is around the corner and you never know what that might
> bring.
There's a commit from just after 5.2 which is relevant to some
packet forwarding setups, which might be of interest..
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/
Actually, scratch that. I was looking at nfs(5) from an old SL 5.7 box
I have here which explicitly states:
"tcpMount the NFS filesystem using the TCP protocol. This
is the default protocol."
This is not the case anymore though, thanks for bringing that to my attention.
On Wed, Oct
On Wed, Oct 24, 2012 at 12:57 AM, Michael Sideris wrote:
> I am using the NFS defaults which means, according to the man page at
> least, that it should go over TCP.
Hmm, I don't believe that to be the case. What man page text are you
seeing says the default is TCP?
Philip Guenther
I am using the NFS defaults which means, according to the man page at
least, that it should go over TCP. Regardless, I think I have a fair
idea of what is what happening now. Or at least better than I had
before. I will try to tweak things around a bit until I find the right
balance between perform
On Tue, Oct 23, 2012 at 10:18 AM, Michael Sideris wrote:
> While I am not required to comply with any particular crypto
> standards, I have NFS data passing through that link which I would
> classify asfairly sensitive.
hmm, if you're using udp mounts for NFS you might want to try tcp
instead
Michael Sideris wrote:
> It seems that changing to hmac-md5 boosted network throughput from
> ~50Mbit/s to ~100Mbit/s which is decent and reasonable. I am going to
> experiment a bit further with `scrub` options in pf.conf to see if I
> can squeeze more performance out of the link. The question n
While I am not required to comply with any particular crypto
standards, I have NFS data passing through that link which I would
classify asfairly sensitive. That being said, I am not sure how to
check the re-keying frequency except watching `ipsecctl -m`. I am not
sure if PFS is enabled by defa
On Mon, Oct 22, 2012 at 4:10 PM, Michael Sideris wrote:
> It seems that changing to hmac-md5 boosted network throughput from
> ~50Mbit/s to ~100Mbit/s which is decent and reasonable. I am going to
> experiment a bit further with `scrub` options in pf.conf to see if I
> can squeeze more performance
It seems that changing to hmac-md5 boosted network throughput from
~50Mbit/s to ~100Mbit/s which is decent and reasonable. I am going to
experiment a bit further with `scrub` options in pf.conf to see if I
can squeeze more performance out of the link. The question now
ishow much is security aff
I ran a few more tests on a local setup:
* 2 x OpenBSD 5.1 (i386) w/ Gbit NICs connected on the same switch
* `cat /etc/ipsec.conf`: "ike esp from 10.0.0.1 to 10.0.0.2" (and vice versa)
* pf is disabled
Running `isakmpd -K ; ipsecctl -f /etc/ipsec.conf` "caps" tcpbench at
~50Mbit speeds, same as
`ping -c10`
(L-VPN --> G-VPN)
PING G.G.G.G (G.G.G.G): 56 data bytes
64 bytes from G.G.G.G: icmp_seq=0 ttl=255 time=17.073 ms
64 bytes from G.G.G.G: icmp_seq=1 ttl=255 time=3.604 ms
64 bytes from G.G.G.G: icmp_seq=2 ttl=255 time=3.666 ms
64 bytes from G.G.G.G: icmp_seq=3 ttl=255 time=3.716 ms
64 b
18 matches
Mail list logo
