aes 256 performance

[bhawk]

Hello
Have lanner 8759. Testing out aes 256 performance
config at both ends:
Mode: MAin
P1 protocol: aes 256 and sha1
p2 protocol: esp and sha1

I am getting throughput of about 420 Mbps (measured through iperf)
I was wondering if this is good on a xeon e3-1275 processor?
Also it supports aes ni, does that get enabled by default or has to be enabled via bios?
Lastly are there any tunables that i can play around with to increase performance since my cpu utilization hardly gets upto 15%?

[elektroinside]

The info is very vague, nobody could approximate an answer...
How are you testing the throughput?
Describe a little your server/client environment, your link/connection details etc.

[elektroinside]

For example:

Code Select Expand

PS C:\iperf-3.1.3-win64> .\iperf3.exe -c xxx.xxx.xxx.xxx -p 61747
Connecting to host xxx.xxx.xxx.xxx, port 61747
[  4] local xxx.xxx.xxx.xxx port 21242 connected to xxx.xxx.xxx.xxx port 61747
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  12.9 MBytes   108 Mbits/sec
[  4]   1.00-2.00   sec  13.1 MBytes   110 Mbits/sec
[  4]   2.00-3.00   sec  13.4 MBytes   112 Mbits/sec
[  4]   3.00-4.00   sec  13.5 MBytes   113 Mbits/sec
[  4]   4.00-5.00   sec  13.5 MBytes   113 Mbits/sec
[  4]   5.00-6.00   sec  13.5 MBytes   113 Mbits/sec
[  4]   6.00-7.00   sec  13.2 MBytes   111 Mbits/sec
[  4]   7.00-8.00   sec  13.4 MBytes   112 Mbits/sec
[  4]   8.00-9.00   sec  13.5 MBytes   113 Mbits/sec
[  4]   9.00-10.00  sec  12.8 MBytes   107 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   133 MBytes   111 Mbits/sec                  sender
[  4]   0.00-10.00  sec   133 MBytes   111 Mbits/sec                  receiver

iperf Done.
PS C:\iperf-3.1.3-win64> .\iperf3.exe -c xxx.xxx.xxx.xxx -p 3398
Connecting to host xxx.xxx.xxx.xxx, port 3398
[  4] local xxx.xxx.xxx.xxx port 21385 connected to xxx.xxx.xxx.xxx port 3398
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  13.0 MBytes   109 Mbits/sec
[  4]   1.00-2.00   sec  13.2 MBytes   111 Mbits/sec
[  4]   2.00-3.00   sec  13.1 MBytes   110 Mbits/sec
[  4]   3.00-4.00   sec  13.2 MBytes   111 Mbits/sec
[  4]   4.00-5.00   sec  13.4 MBytes   112 Mbits/sec
[  4]   5.00-6.00   sec  13.4 MBytes   112 Mbits/sec
[  4]   6.00-7.00   sec  13.1 MBytes   110 Mbits/sec
[  4]   7.00-8.00   sec  13.0 MBytes   109 Mbits/sec
[  4]   8.00-9.00   sec  13.0 MBytes   109 Mbits/sec
[  4]   9.00-10.00  sec  13.2 MBytes   111 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   132 MBytes   111 Mbits/sec                  sender
[  4]   0.00-10.00  sec   132 MBytes   110 Mbits/sec                  receiver

iperf Done.

Environment:
- two computers, same ISP, different locations, different link types and speeds

The test:
- the first test is without any encrypted tunnels
- the second is with an AES 512 encrypted tunnel
- the lowest link speed of the two matches the AES encryption throughput as well, as it is low enough not to max out the CPU, meaning I could never get a higher throughput because I don't have an internet connection between the two high enough

And this is just a simple test between two machines over the internet. Both tests initiated from the same machine.

But, in order to max out your CPU, try a LAN test, with and without encryption.

If you're using Windows clients as well, you might consider this software (SG TCP Optimizer) to tweak general TCP/IP performance of your clients: https://www.speedguide.net/downloads.php

[mimugmail]

You get best and most secure results with Ike V2, aes128 gcm, sha256 and DH24

[elektroinside]

Most secure is relative :)

Nowadays, there's a recipe for which one to use where:
- for site to site, you will typically deploy IPSec
- for remote, you will typically deploy an SSL VPN (OpenVPN for example)

There's some good reasoning behind this. If you travel a lot, IPSec might be useless as it is blocked most of the times, whereas you can configure OpenVPN over HTTPS (TCP port 443) which is almost never blocked.

Accessibility, in this case, is more important than performance.

[bhawk]

Apologies for not sharing topology.
Since this is out of curiosity more than anything, i have connected 2 firewalls back to back . Figure is attached.
VPN details shared already. Iperf server is hosted on 192.168.2.2, client from 192.168.3.2. Both PCs running windows 7

[mimugmail]

Then choose the values I posted earlier :)

[bhawk]

performance at the cost of security not the purpose :)

[mimugmail]

Then you should not use SHA1?!  :o

[slemoal@tiscom.fr]

your perf it's correct

The downside to OpenVPN is that in its current architecture, it is not scalable. It runs as a monolithic process and cannot run multi-threaded. This means that if you have a beefy processor with 8 cores OpenVPN will use 1 of them.

if you want compare with other model  Lanner i'm realized a perf test.
http://www.calexium.com/produits/tests-de-performance.html#T3

[bhawk]

http://calexium.com/produits/tests-de-performance.html#T3

Link is wrong? please recheck

[slemoal@tiscom.fr]

link is ok :)

[elektroinside]

link is ok :)

Not really...

[Ciprian]

Mee too, not really, link is like elektroinside's one

[slemoal@tiscom.fr]

https://www.calexium.com/fr/produits/tests-de-performance.html
and now?