IPSec tunnel performance issue

nazuko · February 3, 2023, 8:56am

I have an IPSec site-to-site vpn connection setup where both the VPN gws are VyOS
VyOS-1 <-----> VyOS-2
| – ---- – - - ---- |
sw1 – – - – - - - sw2
| – - — ---- - ---- |
sevr1 ----- server2

When testing iperf on my servers passing by IPsec tunnel, I get bandwidth up to 1 Gbps.
What is the maximum performance that is supported by ipsec site to site tunnel in vyos?

Viacheslav · February 3, 2023, 9:10am

Try QAT if your devices support it

nazuko · February 3, 2023, 2:53pm

erro: system acceleration qat is not configured

Is vyos by default cannot go up to 1gpps with IPsec tunnel ? Because I saw already in the vyos forum that there are a lot of cases like mine, so I wonder if the max performance of ipsec is 1gps

n.fort · February 3, 2023, 6:16pm

VyOS does not implement any restrictions.
Are all interfaces involved more than giabitEthernet?

nazuko · February 8, 2023, 9:29am

yes, it’s 10gb peer interface

Viacheslav · February 10, 2023, 10:41am

Try different encryption|hash parameters
for example

set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1

Also check CPU utilization during the test
"sudo top" and press "1"

vishalgahlawat · February 19, 2024, 12:41pm

facing similar issue , any work around for this ?
do anyone able to achieve the bandwidth over 1gbps through ipsec ?

L0crian · February 19, 2024, 1:24pm

IPsec will unfortunately perform only to the level of your CPU’s single core performance. If you need more throughput with IPsec, you need a better performing CPU, or acceleration like Viacheslav mentioned previously in this thread.

You can solve it by looking towards alternatives for encryption like WireGuard. WireGuard uses all cores in a system so it is much more effecient. Here’s an example on a cheap $100USDmini-pc with a quad-core Celeron (2.7Ghz max clock):

IPsec:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.51 GBytes 1.30 Gbits/sec 53 sender
[ 5] 0.00-10.00 sec 1.51 GBytes 1.30 Gbits/sec receiver

Wireguard:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.26 GBytes 1.94 Gbits/sec 3366 sender
[ 5] 0.00-10.00 sec 2.26 GBytes 1.94 Gbits/sec receiver

Here’s a look at the CPU utilization during those tests:

IPsec:

WireGuard:

Almost 2Gbps in a $100USD mini-PC isn’t bad. You can of course get much more performance with a more capable box.