Date: Tue, 7 Sep 2004 17:02:49 +0100 (BST) From: Vince Hoffman <jhary@unsane.co.uk> To: Omer Faruk Sen <ofsen@enderunix.org> Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD VPN performance Message-ID: <20040907165451.B97892@unsane.co.uk> In-Reply-To: <20040907131502.1015.qmail@istanbul.enderunix.org> References: <20040907131502.1015.qmail@istanbul.enderunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 7 Sep 2004, Omer Faruk Sen wrote: > Hi, > > I have given a work to test VPN performance of FreeBSD IPSEC subsystem. I am > not that familiar with ipsec terms. (just started to read IPSEC documents > about 5 days ago)I wanted to share my observations: > > My hardware is : P IV 2.8, 256 MB, fxp NIC > > First of all I have used FreeBSD 4.10 Stable not FreeBSD5 (maybe I have to > test FreeBSD 5 too. I think especially MP safe network stack and multhreaded > kernel gives better performance? > > FAST_IPSEC currently works faster than IPSEC even if I don't use a hardware > accelerator. I have used rijndael-cbc(192 bit) and hmac-sha1(160bit) for my > test. I have used 3des(192 bit) and hmac-md5 (128 bit) but it gives less > performcance. > > Here is my kernel configuration ( I have a problem with my kernel > configuration after booting with this kernel top,vmstat refused to run. I am > not sure if it is just a kernel system incompatibility(4.10Relese system vs > 4.10Stable kernel) problem or a missing option in my kernel ): Often implys your userland is out of sync. i'd follow the instructions in /usr/src/Makefile to update your userland. > > machine i386 > cpu I686_CPU > makeoptions COPTFLAGS="-O2 -pipe -funroll-loops -ffast-math" > ident IPSEC > maxusers 0 > > > options INET #InterNETworking > options FFS #Berkeley Fast Filesystem > options FFS_ROOT #FFS usable as root device [keep > this!] > options SOFTUPDATES #Enable FFS soft updates support > options UFS_DIRHASH #Improve performance on big > directories > options CD9660 #ISO 9660 Filesystem > options PROCFS #Process filesystem > options COMPAT_43 #Compatible with BSD 4.3 [KEEP > THIS!] > options UCONSOLE #Allow users to grab the console > options USERCONFIG #boot -c editor > options VISUAL_USERCONFIG #visual boot -c editor > options SYSVSHM #SYSV-style shared memory > options NSWAPDEV=1 > options NFS_NOSERVER > options SYSVMSG #SYSV-style message queues > options SYSVSEM #SYSV-style semaphores > options P1003_1B #Posix P1003_1B real-time extensions > options _KPOSIX_PRIORITY_SCHEDULING > options ICMP_BANDLIM #Rate limit bad replies > > device pci > device isa > > device ata0 at isa? port IO_WD1 irq 14 > device ata1 at isa? port IO_WD2 irq 15 > device ata > device atadisk # ATA disk drives > device atapicd # ATAPI CDROM drives > options ATA_STATIC_ID #Static device numbering > > > device atkbdc0 at isa? port IO_KBD > device atkbd0 at atkbdc? irq 1 flags 0x1 > device psm0 at atkbdc? irq 12 > > device vga0 at isa? > > > # syscons is the default console driver, resembling an SCO console > > device npx0 at nexus? port IO_NPX irq 13 > > # Serial (COM) ports > device sio0 at isa? port IO_COM1 flags 0x10 irq 4 > #device sio1 at isa? port IO_COM2 irq 3 > > > device miibus # MII bus support > device fxp # Intel EtherExpress PRO/100B (82557, 82558) > device vr # VIA Rhine, Rhine II > > # Pseudo devices - the number indicates how many units to allocate. > pseudo-device loop # Network loopback > pseudo-device ether # Ethernet support > pseudo-device pty # Pseudo-ttys (telnet etc) > pseudo-device gif # IPv6 and IPv4 tunneling > > pseudo-device bpf 4 #Berkeley packet filter > > #options IPSEC #IP security > #options IPSEC_ESP #IP security (crypto; define w/ > IPSEC) > options FAST_IPSEC #new IPsec > pseudo-device crypto # core crypto support > pseudo-device cryptodev # /dev/crypto for access to h/w > > > > options RANDOM_IP_ID > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > options HZ=2000 > options DEVICE_POLLING > options NMBCLUSTERS=65536 #This may not required since we can tweak > #it on /boot/loader.conf > > #Make console nonchangable > options SC_NO_CUTPASTE > options SC_NO_FONT_LOADING > options SC_NO_SYSMOUSE > options VGA_NO_FONT_LOADING # don't save/load font > options VGA_NO_MODE_CHANGE # don't change video modes > > My loader.conf is set to: > > kern.ipc.nmbclusters="65536" > > My sysctl.conf: > net.inet.ip.forwarding=1 > vfs.vmiodirenable=1 > kern.ipc.maxsockbuf=2097152 > kern.ipc.somaxconn=8192 > kern.maxfiles=65536 > kern.maxfilesperproc=32768 > net.inet.tcp.rfc1323=1 > net.inet.tcp.sendspace=32768 > net.inet.tcp.recvspace=65536 > net.inet.udp.recvspace=65536 > net.inet.udp.maxdgram=65536 > net.local.stream.recvspace=65536 > net.local.stream.sendspace=65536 > net.inet.icmp.bmcastecho=0 > net.inet.icmp.maskrepl=0 > net.inet.ip.accept_sourceroute=0 > net.inet.ip.sourceroute=0 > #net.inet.icmp.log_redirect=1 > net.inet.icmp.drop_redirect=1 > net.inet.tcp.delayed_ack=1 > kern.ps_showallprocs=0 > net.inet.tcp.inflight_enable=1 > #HTT icin gerekli > machdep.hlt_logical_cpus=0 > kern.polling.enable=1 > > > I have installed racoon as IKE but I have lived some problems with it and > after reading kame racoon ml > (http://www.kame.net/racoon/racoon-ml/msg00605.html) I have used this patch > along with 20040818a version of racoon and it seems that problems have > solved. I want to try isakmpd since it seems to give a better performance. > Here is my racoon.conf: > > remote anonymous > { > #exchange_mode main,aggressive; > exchange_mode aggressive,main; > doi ipsec_doi; > situation identity_only; > > #my_identifier address; > #my_identifier user_fqdn "sakane@kame.net"; > #peers_identifier user_fqdn "sakane@kame.net"; > #certificate_type x509 "mycert" "mypriv"; > > nonce_size 16; > lifetime time 12 hour; # sec,min,hour > initial_contact on; > support_mip6 on; > proposal_check obey; # obey, strict or claim > > proposal { > encryption_algorithm rijndael; > hash_algorithm sha1; > authentication_method pre_shared_key ; > dh_group 2 ; > } > } > > sainfo anonymous > { > pfs_group 1; > lifetime time 12 hour; > encryption_algorithm rijndael; > authentication_algorithm hmac_sha1; > compression_algorithm deflate ; > } > > > With this configuration we have received about 68mbits/s without any packet > loss. But after raising the limit (Shomiti Surveyor used for that) packets > started to get lost. > > I know this is a long and terribly formated mail but can someone give me > adivce for raising the performance of my FreeBSD VPN system? It has just > came to my mind that maybe changing kern.poll gives me a better performance? > I am planning to write a FreeBSD VPN performance paper if I gain a better > performance.. > > PS: By the way if I use manually created keys I get better performance. But > it seems peculiar to me since I have set key lifetime to 12 hours, then I > have decided that racoon (IKE daemons) has an affect on VPN performance. Is > that true? If it is true can you explain it why it has affect on performance > with a keylife time of 12 hours. > > ----------------------- > Omer Faruk Sen > http://www.EnderUNIX.ORG > Software Development Team @ Turkey > http://www.Faruk.NET > For Public key: http://www.enderunix.org/ofsen/ofsen.asc > ******************************************************** > > > First Turkish FreeBSD book is out! Go check it. > Duydunuz mu! Turkiye'nin ilk FreeBSD kitabi cikti. > http://www.acikkod.com/freebsd.php > > > ----------------------- > Omer Faruk Sen > http://www.EnderUNIX.ORG > Software Development Team @ Turkey > http://www.Faruk.NET > For Public key: http://www.enderunix.org/ofsen/ofsen.asc > ******************************************************** > > > First Turkish FreeBSD book is out! Go check it. > Duydunuz mu! Turkiye'nin ilk FreeBSD kitabi cikti. > http://www.acikkod.com/freebsd.php > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040907165451.B97892>