FreeBSD VPN performance
Vince Hoffman
jhary at unsane.co.uk
Tue Sep 7 09:03:39 PDT 2004
On Tue, 7 Sep 2004, Omer Faruk Sen wrote:
> Hi,
>
> I have given a work to test VPN performance of FreeBSD IPSEC subsystem. I am
> not that familiar with ipsec terms. (just started to read IPSEC documents
> about 5 days ago)I wanted to share my observations:
>
> My hardware is : P IV 2.8, 256 MB, fxp NIC
>
> First of all I have used FreeBSD 4.10 Stable not FreeBSD5 (maybe I have to
> test FreeBSD 5 too. I think especially MP safe network stack and multhreaded
> kernel gives better performance?
>
> FAST_IPSEC currently works faster than IPSEC even if I don't use a hardware
> accelerator. I have used rijndael-cbc(192 bit) and hmac-sha1(160bit) for my
> test. I have used 3des(192 bit) and hmac-md5 (128 bit) but it gives less
> performcance.
>
> Here is my kernel configuration ( I have a problem with my kernel
> configuration after booting with this kernel top,vmstat refused to run. I am
> not sure if it is just a kernel system incompatibility(4.10Relese system vs
> 4.10Stable kernel) problem or a missing option in my kernel ):
Often implys your userland is out of sync. i'd follow the instructions in
/usr/src/Makefile to update your userland.
>
> machine i386
> cpu I686_CPU
> makeoptions COPTFLAGS="-O2 -pipe -funroll-loops -ffast-math"
> ident IPSEC
> maxusers 0
>
>
> options INET #InterNETworking
> options FFS #Berkeley Fast Filesystem
> options FFS_ROOT #FFS usable as root device [keep
> this!]
> options SOFTUPDATES #Enable FFS soft updates support
> options UFS_DIRHASH #Improve performance on big
> directories
> options CD9660 #ISO 9660 Filesystem
> options PROCFS #Process filesystem
> options COMPAT_43 #Compatible with BSD 4.3 [KEEP
> THIS!]
> options UCONSOLE #Allow users to grab the console
> options USERCONFIG #boot -c editor
> options VISUAL_USERCONFIG #visual boot -c editor
> options SYSVSHM #SYSV-style shared memory
> options NSWAPDEV=1
> options NFS_NOSERVER
> options SYSVMSG #SYSV-style message queues
> options SYSVSEM #SYSV-style semaphores
> options P1003_1B #Posix P1003_1B real-time extensions
> options _KPOSIX_PRIORITY_SCHEDULING
> options ICMP_BANDLIM #Rate limit bad replies
>
> device pci
> device isa
>
> device ata0 at isa? port IO_WD1 irq 14
> device ata1 at isa? port IO_WD2 irq 15
> device ata
> device atadisk # ATA disk drives
> device atapicd # ATAPI CDROM drives
> options ATA_STATIC_ID #Static device numbering
>
>
> device atkbdc0 at isa? port IO_KBD
> device atkbd0 at atkbdc? irq 1 flags 0x1
> device psm0 at atkbdc? irq 12
>
> device vga0 at isa?
>
>
> # syscons is the default console driver, resembling an SCO console
>
> device npx0 at nexus? port IO_NPX irq 13
>
> # Serial (COM) ports
> device sio0 at isa? port IO_COM1 flags 0x10 irq 4
> #device sio1 at isa? port IO_COM2 irq 3
>
>
> device miibus # MII bus support
> device fxp # Intel EtherExpress PRO/100B (82557, 82558)
> device vr # VIA Rhine, Rhine II
>
> # Pseudo devices - the number indicates how many units to allocate.
> pseudo-device loop # Network loopback
> pseudo-device ether # Ethernet support
> pseudo-device pty # Pseudo-ttys (telnet etc)
> pseudo-device gif # IPv6 and IPv4 tunneling
>
> pseudo-device bpf 4 #Berkeley packet filter
>
> #options IPSEC #IP security
> #options IPSEC_ESP #IP security (crypto; define w/
> IPSEC)
> options FAST_IPSEC #new IPsec
> pseudo-device crypto # core crypto support
> pseudo-device cryptodev # /dev/crypto for access to h/w
>
>
>
> options RANDOM_IP_ID
> options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
> options HZ=2000
> options DEVICE_POLLING
> options NMBCLUSTERS=65536 #This may not required since we can tweak
> #it on /boot/loader.conf
>
> #Make console nonchangable
> options SC_NO_CUTPASTE
> options SC_NO_FONT_LOADING
> options SC_NO_SYSMOUSE
> options VGA_NO_FONT_LOADING # don't save/load font
> options VGA_NO_MODE_CHANGE # don't change video modes
>
> My loader.conf is set to:
>
> kern.ipc.nmbclusters="65536"
>
> My sysctl.conf:
> net.inet.ip.forwarding=1
> vfs.vmiodirenable=1
> kern.ipc.maxsockbuf=2097152
> kern.ipc.somaxconn=8192
> kern.maxfiles=65536
> kern.maxfilesperproc=32768
> net.inet.tcp.rfc1323=1
> net.inet.tcp.sendspace=32768
> net.inet.tcp.recvspace=65536
> net.inet.udp.recvspace=65536
> net.inet.udp.maxdgram=65536
> net.local.stream.recvspace=65536
> net.local.stream.sendspace=65536
> net.inet.icmp.bmcastecho=0
> net.inet.icmp.maskrepl=0
> net.inet.ip.accept_sourceroute=0
> net.inet.ip.sourceroute=0
> #net.inet.icmp.log_redirect=1
> net.inet.icmp.drop_redirect=1
> net.inet.tcp.delayed_ack=1
> kern.ps_showallprocs=0
> net.inet.tcp.inflight_enable=1
> #HTT icin gerekli
> machdep.hlt_logical_cpus=0
> kern.polling.enable=1
>
>
> I have installed racoon as IKE but I have lived some problems with it and
> after reading kame racoon ml
> (http://www.kame.net/racoon/racoon-ml/msg00605.html) I have used this patch
> along with 20040818a version of racoon and it seems that problems have
> solved. I want to try isakmpd since it seems to give a better performance.
> Here is my racoon.conf:
>
> remote anonymous
> {
> #exchange_mode main,aggressive;
> exchange_mode aggressive,main;
> doi ipsec_doi;
> situation identity_only;
>
> #my_identifier address;
> #my_identifier user_fqdn "sakane at kame.net";
> #peers_identifier user_fqdn "sakane at kame.net";
> #certificate_type x509 "mycert" "mypriv";
>
> nonce_size 16;
> lifetime time 12 hour; # sec,min,hour
> initial_contact on;
> support_mip6 on;
> proposal_check obey; # obey, strict or claim
>
> proposal {
> encryption_algorithm rijndael;
> hash_algorithm sha1;
> authentication_method pre_shared_key ;
> dh_group 2 ;
> }
> }
>
> sainfo anonymous
> {
> pfs_group 1;
> lifetime time 12 hour;
> encryption_algorithm rijndael;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate ;
> }
>
>
> With this configuration we have received about 68mbits/s without any packet
> loss. But after raising the limit (Shomiti Surveyor used for that) packets
> started to get lost.
>
> I know this is a long and terribly formated mail but can someone give me
> adivce for raising the performance of my FreeBSD VPN system? It has just
> came to my mind that maybe changing kern.poll gives me a better performance?
> I am planning to write a FreeBSD VPN performance paper if I gain a better
> performance..
>
> PS: By the way if I use manually created keys I get better performance. But
> it seems peculiar to me since I have set key lifetime to 12 hours, then I
> have decided that racoon (IKE daemons) has an affect on VPN performance. Is
> that true? If it is true can you explain it why it has affect on performance
> with a keylife time of 12 hours.
>
> -----------------------
> Omer Faruk Sen
> http://www.EnderUNIX.ORG
> Software Development Team @ Turkey
> http://www.Faruk.NET
> For Public key: http://www.enderunix.org/ofsen/ofsen.asc
> ********************************************************
>
>
> First Turkish FreeBSD book is out! Go check it.
> Duydunuz mu! Turkiye'nin ilk FreeBSD kitabi cikti.
> http://www.acikkod.com/freebsd.php
>
>
> -----------------------
> Omer Faruk Sen
> http://www.EnderUNIX.ORG
> Software Development Team @ Turkey
> http://www.Faruk.NET
> For Public key: http://www.enderunix.org/ofsen/ofsen.asc
> ********************************************************
>
>
> First Turkish FreeBSD book is out! Go check it.
> Duydunuz mu! Turkiye'nin ilk FreeBSD kitabi cikti.
> http://www.acikkod.com/freebsd.php
>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list