# Parallelizing IPsec ESP



## kemeris (Oct 6, 2014)

Hi there, 

I am planning to build VPN server with dual Xeon X5-2620v2 CPU (AES-NI supported) and 10Gbps NIC. At the moment considering FreeBSD v10 with Strongswan, although I have never used FreeBSD before. My main concern is kernel space ESP performance, as I would like to achieve 7Gbps of IPSec traffic.  

OpenSSL (on Linux) reports ~360MBps for one core with AES-NI enabled:

```
[root@s1 csr]# openssl speed -evp aes-256-cbc
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc     342211.97k   361653.85k   365577.05k   365390.42k   366889.64k
```

4GBps for all 12 cores simultaneously

```
[root@s1 csr]# openssl speed -evp aes-256-cbc -multi 12
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
evp            3809751.94k  4009976.73k  4048939.86k  4062668.73k  4061549.91k
```


Is it possible to achieve 7Gbps of IPSec traffic with FreeBSD v10. What could be potential bottlenecks?

Also can anybody recommend 10Gbps NIC with IPSec offload for FreeBSD?

Thank in advance,
Giedrius


----------



## junovitch@ (Oct 7, 2014)

Can't speak for the performance now, but the FreeBSD Foundation sponsored some work to get the IPSEC stack up to snuff to handle 10G and 40G network speeds.  I don't think this made it to FreeBSD just yet as it was going to hit the new pfSense first and work its way it in in the near future.  This is probably worth a read and consideration.

http://freebsdfoundation.blogspot.com/2014/08/freebsd-foundation-announces-ipsec.html


----------



## kemeris (Oct 8, 2014)

Thanks for reply junovitch,



> Can't speak for the performance now, but the FreeBSD Foundation sponsored some work to get the IPSEC stack up to snuff to handle 10G and 40G network speeds. I don't think this made it to FreeBSD just yet as it was going to hit the new pfSense first and work its way it in in the near future. This is probably worth a read and consideration.
> 
> http://freebsdfoundation.blogspot.com/2 ... ipsec.html



Yes, I saw this already. As I understand they will add two encryption modes AES-CTR and AES-GCM, but no words about multicore processing for IPSec ESP traffic in kernel space. At the moment on CentOS with 1 Gbps NIC I get 900 Mbps throughput without IPSec and ~700 Mbps using AES-GCM256 or AES-GCM256. All these benchmarks is only using one core. Still it's not clear to me, is it possible to use multiple cores for encryption? Anybody?


----------

