IPSec with multiple tunnels performance issue

Kernels & Hardware, configuring network, installing services

IPSec with multiple tunnels performance issue

Postby pritamkharat » 2018-12-21 05:28

Hello,

We have a IPSec site-to-site vpn connection setup where both the VPN gws are VyOS VM(Debian Jessie)

VyOS-1 <-----> VyOS-2

On this setup without ipsec we are getting bandwidth upto 20 Gbps between VyOS-1 and VyOS-2. When IPSec is established with single tunnel we get bandwidth upto 1 Gbps. But when we created one more tunnel on VyOS-1 and connected it to other VPN GW (VyOS-3) and measured the bandwidth on VyOS-1, it decreased to ~500 Mbps for each tunnel. Again we created one more tunnel on VyOS-1 and connected it to one more VPN GW (VyOS-4) and measured the bandwidth on VyOS-1, it decreased to ~300 Mbps for each tunnel.

So observation is bandwidth on VyOS-1 is always 1 Gbps divided by no. of tunnels.

We tried multiple options like increasing no.of vcpu, ram, combination of different hash and encryption algos, different MTU sizes etc but still not able to get upto 1 Gbps per tunnel. Also pcrypt module is already enabled all VyOS systems.

We tested with multiple combination of cpu and memory but the result is not affected much by that. Following is the observation:

1 cpu 1gb ram:
cpu0 utilization: 88%
performance: 635 Mbps

2 cpu 1gb ram:
cpu0 utilization: 85%
cpu1 utilization: 81%

4 cpu 2gb ram:
cpu0 utilization:60%
cpu1 utilization:65%
cpu2 utilization:40%
cpu3 utilization:30%

8cpu 4g bram:
cpu0 utilization:47%
cpu1 utilization:17%
cpu2 utilization:17%
cpu3 utilization:51%
cpu4 utilization:25%
cpu5 utilization:17%
cpu6 utilization:17%
cpu7 utilization:16%

Memory utilisation is not more than 20%

Question is how can we achieve 1 Gbps per tunnel. I asked the same question on strongswan forum but they said strongswan does not handle the IPSec traffic, Linux kernel does.

Can you please suggest where is the bottleneck in getting 1Gbps per tunnel ? What are the best figures anyone has got with IPSec ?
pritamkharat
 
Posts: 1
Joined: 2018-12-21 05:19

Return to System configuration

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable