Is if_ipsec/ipsec - AESNI accelerated ?

Thu Aug 9 23:55:57 UTC 2018

You're not running AES-GCM, you're running AES-CBC + HMAC-SHA256

>        E: rijndael-cbc  221239cf e0ddedc5 88f1f711 5e744723
>        A: hmac-sha2-256  bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7
529a40a1 bf5ea2c9 0e3f5f27

Try running AES-GCM.  Example (from the work that gnn@ and I did back in
2014/15):

https://github.com/freebsd-net/netperf/blob/master/IPSEC/Configs/dut-aes-gcm.conf
https://github.com/freebsd-net/netperf/blob/master/IPSEC/Configs/source-aes-gcm.conf

Results on larger hardware, if you care:
https://github.com/freebsd-net/netperf/blob/master/Documentation/Presentations/BSDCan2015.pdf

Once you have that running, see if setting net.inet.ipsec.async_crypto=1
helps

Also, if PMTU doesn't work on your path, clamp TCP MSS to 1400 on both
sides.

# ipfw add # tcp-setmss 1400 <blah blah blah>

or

scrub on <interface> max-mss 1400  in your pf.conf

That all said, I only get around 400Mbps using AES-GCM over a real 1gbps
path between my house and work running a C2558 at home.
I'm running pfSense (because... you know...), but you should be able to
achieve similar results with a stock FreeBSD 11.2 system.

If you want to go faster, we've seen 856 mbps over a pair of C3558s, using
just AES-GCM w/AES-NI.  This is with 'pf' on, and KPI mitigations running,
btw.
If anything, i'd expect routed ipsec to be a bit faster.

Jim

On Thu, Aug 9, 2018 at 3:55 PM, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:

> On 09.08.2018 23:11, David P. Discher wrote:
> > The documentation for using IPSec (especially if_ipsec) is really thin
> > for freebsd, so I pieced some of this together from various posts and
> > mailing lists threads.
> >
> > Is there no need for racoon ?  How in this example is the IKE/ISAKMP
> > setup done ? Is setkey doing this ?
>
> > This is 11.2-stable, shortly after release … I don’t have this sysctl.
>
> This is manually configured tunnel between two FreeBSD 12.0-CURRENT
> hosts. I can suggest to try patch and config from this post:
>
> https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html
>
> >> Need to see your setkey.conf, or at least the output of setkey -D..
> >
> >
> > setkey.conf is :
> >
> >         flush;
> >         spdflush;
> >
> >         spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P out ipsec
> > esp/tunnel/10.245.0.201-10.245.0.202/unique:12;
> >         spdadd -4n 172.30.1.12/30 172.30.1.12/30 any -P in  ipsec
> > esp/tunnel/10.245.0.202-10.245.0.201/unique:12;
> >         spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P out ipsec
> > esp/tunnel/10.245.0.201-10.245.0.203/unique:4;
> >         spdadd -4n 172.30.1.4/30 172.30.1.4/30 any -P in  ipsec
> > esp/tunnel/10.245.0.203-10.245.0.201/unique:4;
>
> You don't need to create security policies for if_ipsec interfaces. They
> are created by interface automatically.
>
> --
> WBR, Andrey V. Elsukov
>
>