FreeBSD VPN performance
Omer Faruk Sen
ofsen at enderunix.org
Tue Sep 7 06:14:57 PDT 2004
Hi,
I have given a work to test VPN performance of FreeBSD IPSEC subsystem. I am
not that familiar with ipsec terms. (just started to read IPSEC documents
about 5 days ago)I wanted to share my observations:
My hardware is : P IV 2.8, 256 MB, fxp NIC
First of all I have used FreeBSD 4.10 Stable not FreeBSD5 (maybe I have to
test FreeBSD 5 too. I think especially MP safe network stack and multhreaded
kernel gives better performance?
FAST_IPSEC currently works faster than IPSEC even if I don't use a hardware
accelerator. I have used rijndael-cbc(192 bit) and hmac-sha1(160bit) for my
test. I have used 3des(192 bit) and hmac-md5 (128 bit) but it gives less
performcance.
Here is my kernel configuration ( I have a problem with my kernel
configuration after booting with this kernel top,vmstat refused to run. I am
not sure if it is just a kernel system incompatibility(4.10Relese system vs
4.10Stable kernel) problem or a missing option in my kernel ):
machine i386
cpu I686_CPU
makeoptions COPTFLAGS="-O2 -pipe -funroll-loops -ffast-math"
ident IPSEC
maxusers 0
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep
this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big
directories
options CD9660 #ISO 9660 Filesystem
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP
THIS!]
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options SYSVSHM #SYSV-style shared memory
options NSWAPDEV=1
options NFS_NOSERVER
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
device pci
device isa
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID #Static device numbering
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12
device vga0 at isa?
# syscons is the default console driver, resembling an SCO console
device npx0 at nexus? port IO_NPX irq 13
# Serial (COM) ports
device sio0 at isa? port IO_COM1 flags 0x10 irq 4
#device sio1 at isa? port IO_COM2 irq 3
device miibus # MII bus support
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device vr # VIA Rhine, Rhine II
# Pseudo devices - the number indicates how many units to allocate.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device pty # Pseudo-ttys (telnet etc)
pseudo-device gif # IPv6 and IPv4 tunneling
pseudo-device bpf 4 #Berkeley packet filter
#options IPSEC #IP security
#options IPSEC_ESP #IP security (crypto; define w/
IPSEC)
options FAST_IPSEC #new IPsec
pseudo-device crypto # core crypto support
pseudo-device cryptodev # /dev/crypto for access to h/w
options RANDOM_IP_ID
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options HZ=2000
options DEVICE_POLLING
options NMBCLUSTERS=65536 #This may not required since we can tweak
#it on /boot/loader.conf
#Make console nonchangable
options SC_NO_CUTPASTE
options SC_NO_FONT_LOADING
options SC_NO_SYSMOUSE
options VGA_NO_FONT_LOADING # don't save/load font
options VGA_NO_MODE_CHANGE # don't change video modes
My loader.conf is set to:
kern.ipc.nmbclusters="65536"
My sysctl.conf:
net.inet.ip.forwarding=1
vfs.vmiodirenable=1
kern.ipc.maxsockbuf=2097152
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
net.inet.tcp.rfc1323=1
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=65536
net.inet.udp.recvspace=65536
net.inet.udp.maxdgram=65536
net.local.stream.recvspace=65536
net.local.stream.sendspace=65536
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
#net.inet.icmp.log_redirect=1
net.inet.icmp.drop_redirect=1
net.inet.tcp.delayed_ack=1
kern.ps_showallprocs=0
net.inet.tcp.inflight_enable=1
#HTT icin gerekli
machdep.hlt_logical_cpus=0
kern.polling.enable=1
I have installed racoon as IKE but I have lived some problems with it and
after reading kame racoon ml
(http://www.kame.net/racoon/racoon-ml/msg00605.html) I have used this patch
along with 20040818a version of racoon and it seems that problems have
solved. I want to try isakmpd since it seems to give a better performance.
Here is my racoon.conf:
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
#my_identifier user_fqdn "sakane at kame.net";
#peers_identifier user_fqdn "sakane at kame.net";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 12 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm rijndael;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 12 hour;
encryption_algorithm rijndael;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
With this configuration we have received about 68mbits/s without any packet
loss. But after raising the limit (Shomiti Surveyor used for that) packets
started to get lost.
I know this is a long and terribly formated mail but can someone give me
adivce for raising the performance of my FreeBSD VPN system? It has just
came to my mind that maybe changing kern.poll gives me a better performance?
I am planning to write a FreeBSD VPN performance paper if I gain a better
performance..
PS: By the way if I use manually created keys I get better performance. But
it seems peculiar to me since I have set key lifetime to 12 hours, then I
have decided that racoon (IKE daemons) has an affect on VPN performance. Is
that true? If it is true can you explain it why it has affect on performance
with a keylife time of 12 hours.
-----------------------
Omer Faruk Sen
http://www.EnderUNIX.ORG
Software Development Team @ Turkey
http://www.Faruk.NET
For Public key: http://www.enderunix.org/ofsen/ofsen.asc
********************************************************
First Turkish FreeBSD book is out! Go check it.
Duydunuz mu! Turkiye'nin ilk FreeBSD kitabi cikti.
http://www.acikkod.com/freebsd.php
-----------------------
Omer Faruk Sen
http://www.EnderUNIX.ORG
Software Development Team @ Turkey
http://www.Faruk.NET
For Public key: http://www.enderunix.org/ofsen/ofsen.asc
********************************************************
First Turkish FreeBSD book is out! Go check it.
Duydunuz mu! Turkiye'nin ilk FreeBSD kitabi cikti.
http://www.acikkod.com/freebsd.php
More information about the freebsd-net
mailing list