Differences

This shows you the differences between two versions of the page.

--- documentation:examples:ipsec_performance_of_a_netgate_rcc-ve_4860 [2020/09/22 12:00] – [Diagram] olivier
+++ documentation:examples:ipsec_performance_of_a_netgate_rcc-ve_4860 [2020/09/22 12:06] – [Using IPSec bench "Equilibrium throughput" method] olivier
@@ Line 52: / Line 52: @@
 ==== Netgate (DUT) ====
+/boot/loader.conf:
+<code>
+# Loading AES-NI module sooner to be sure it is loaded before IPsec keys
+aesni_load="YES"
+</code>
 Configure IP address, routes and static IPSec:
@@ Line 61: / Line 66: @@
 static_routes="generator receiver"
 route_generator="-net 198.18.0.0/16 198.18.0.201"
-route_receiver="-net 198.19.0.0/16 198.18.1.203"
+route_receiver="-net 198.19.0.0/16 198.18.2.203"
 static_arp_pairs="receiver generator"
 static_arp_generator="198.18.0.201 00:1b:21:d4:3f:2a"
@@ Line 73: / Line 78: @@
 ipv6_static_routes="generator receiver"
 ipv6_route_generator="2001:2:: -prefixlen 49 2001:2::201"
-ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:1::203"
+ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:2::203"
 static_ndp_pairs="receiver generator"
 static_ndp_generator="2001:2::201 00:1b:21:d4:3f:2a"
 static_ndp_receiver="2001:2:0:1::203 00:1b:21:c4:95:7a"
+cloned_interfaces="ipsec0"
+create_args_ipsec0="reqid 100"
+ifconfig_ipsec0="inet 198.18.2.209/24 198.18.2.203 tunnel 198.18.1.209 198.18.1.203"
+ifconfig_ipsec0_ipv6="inet6 2001:2:0:2::209 prefixlen 64"
-# Enabling IPSec
+# Enabling IPsec
 ipsec_enable="YES"
-# Enabling AES-NI
-kld_list="aesni"
 </code>
@@ Line 89: / Line 95: @@
 flush;
 spdflush;
-spdadd 198.18.0.0/16 198.19.0.0/16 any -P out ipsec esp/tunnel/198.18.1.209-198.18.1.203/require;
+add 198.18.1.203 198.18.1.209 esp 10000 -m tunnel -u 100 -E aes-gcm-16 "12345678901234567890";
-spdadd 198.19.0.0/16 198.18.0.0/16 any -P in ipsec esp/tunnel/198.18.1.203-198.18.1.209/require;
+add 198.18.1.209 198.18.1.203 esp 10001 -m tunnel -u 100 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.203 198.18.1.209 esp 0x1000 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.209 198.18.1.203 esp 0x1001 -E aes-gcm-16 "12345678901234567890";
-spdadd 2001:2::/49 2001:2:0:8000::/49 any -P out ipsec esp/tunnel/2001:2:0:1::209-2001:2:0:1::203/require;
-spdadd 2001:2:0:8000::/49 2001:2::/49 any -P in ipsec esp/tunnel/2001:2:0:1::203-2001:2:0:1::209/require;
-add 2001:2:0:1::203 2001:2:0:1::209 esp 0x1002 -E aes-gcm-16 "12345678901234567890";
-add 2001:2:0:1::209 2001:2:0:1::203 esp 0x1003 -E aes-gcm-16 "12345678901234567890";
 </code>
 ==== R3 (Reference device) ====
+/boot/loader.conf:
+<code>
+# Loading AES-NI module sooner to be sure it is loaded before IPsec keys
+aesni_load="YES"
+</code>
 Configure IP address, routes and static IPSec.
@@ Line 107: / Line 113: @@
 # IPv4 router
 gateway_enable="YES"
-ifconfig_igb2="inet 198.18.1.203/24"
+ifconfig_igb2="inet 198.18.1.203/24 -tso4 -tso6 -lro"
-ifconfig_igb3="inet 198.19.0.203/24"
+ifconfig_igb3="inet 198.19.0.203/24 -tso4 -tso6 -lro"
 static_routes="generator receiver"
-route_generator="-net 198.18.0.0/16 198.18.1.209"
+route_generator="-net 198.18.0.0/16 198.18.2.209"
 route_receiver="-net 198.19.0.0/16 198.19.0.201"
 static_arp_pairs="receiver generator"
 static_arp_generator="198.18.1.209 00:08:a2:09:33:db"
-static_arp_receiver="198.19.0.201 00:1b:21:d4:3f:2b"
+static_arp_receiver="198.19.0.201 0c:c4:7a:da:3c:12"
 # IPv6 router
@@ Line 124: / Line 130: @@
 ipv6_static_routes="generator receiver"
-ipv6_route_generator="2001:2:: -prefixlen 49 2001:2:0:1::209"
+ipv6_route_generator="2001:2:: -prefixlen 49 2001:2:0:2::209"
 ipv6_route_receiver="2001:2:0:8000:: -prefixlen 49 2001:2:0:8000::201"
 static_ndp_pairs="receiver generator"
 static_ndp_generator="2001:2:0:1::209 00:08:a2:09:33:db"
-static_ndp_receiver="2001:2:0:8000::201 00:1b:21:d4:3f:2b"
+static_ndp_receiver="2001:2:0:8000::201 0c:c4:7a:da:3c:12"
+cloned_interfaces="ipsec0"
+create_args_ipsec0="reqid 200"
+ifconfig_ipsec0="inet 198.18.2.203/24 198.18.2.209 tunnel 198.18.1.203 198.18.1.209"
+ifconfig_ipsec0_ipv6="inet6 2001:2:0:2::203 prefixlen 64"
-# Enabling IPSec
+# Enabling IPsec
-kld_list="aesni"
 ipsec_enable="YES"
 </code>
@@ Line 140: / Line 149: @@
 flush;
 spdflush;
-spdadd 198.18.0.0/16 198.19.0.0/16 any -P in ipsec esp/tunnel/198.18.1.209-198.18.1.203/require;
+add 198.18.1.203 198.18.1.209 esp 10000 -m tunnel -u 200 -E aes-gcm-16 "12345678901234567890";
-spdadd 198.19.0.0/16 198.18.0.0/16 any -P out ipsec esp/tunnel/198.18.1.203-198.18.1.209/require;
+add 198.18.1.209 198.18.1.203 esp 10001 -m tunnel -u 200 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.203 198.18.1.209 esp 0x1000 -E aes-gcm-16 "12345678901234567890";
-add 198.18.1.209 198.18.1.203 esp 0x1001 -E aes-gcm-16 "12345678901234567890";
-spdadd 2001:2::/49 2001:2:0:8000::/49 any -P in ipsec esp/tunnel/2001:2:0:1::209-2001:2:0:1::203/require;
-spdadd 2001:2:0:8000::/49 2001:2::/49 any -P out ipsec esp/tunnel/2001:2:0:1::203-2001:2:0:1::209/require;
-add 2001:2:0:1::203 2001:2:0:1::209 esp 0x1002 -E aes-gcm-16 "12345678901234567890";
-add 2001:2:0:1::209 2001:2:0:1::203 esp 0x1003 -E aes-gcm-16 "12345678901234567890";
 </code>
 ===== Using IPSec bench "Equilibrium throughput" method =====
 Once done, we start using a fast method for measuring the "IPsec equilibrium throughput" of the DUT.
-Notice that the reference device (IBM x3550-M3) used in front of the Netgate has a [[IPSec performance lab of an IBM System x3550 M3 with Intel 82580|equilibrium throughput of 843Mb/s]]. Then if the value measured during this bench is close to 843Mb/s we had to found a more powerful reference device.
 From the packet generator/receiver a simple script that use netmap-pktgen will do the job:
 <code>
-[root@R1]~# equilibrium -u -4 -d 00:08:a2:09:33:da -t igb2 -r igb3
+[root@R1]~# equilibrium -4 -u -d 00:08:a2:09:33:da -t igb1 -r igb2
 Benchmark tool using equilibrium throughput method
 - Benchmark mode: Bandwitdh (bps) for VPN gateway
@@ Line 166: / Line 167: @@
   - Offering load = 500 Mb/s
   - Step = 250 Mb/s
-  - Measured forwarding rate = 399 Mb/s
+  - Measured forwarding rate = 499 Mb/s
 Iteration 2
-  - Offering load = 250 Mb/s
+  - Offering load = 750 Mb/s
   - Step = 250 Mb/s
-  - Trend = decreasing
+  - Trend = increasing
-  - Measured forwarding rate = 250 Mb/s
+  - Measured forwarding rate = 670 Mb/s
 Iteration 3
-  - Offering load = 375 Mb/s
+  - Offering load = 625 Mb/s
   - Step = 125 Mb/s
-  - Trend = increasing
+  - Trend = decreasing
-  - Measured forwarding rate = 375 Mb/s
+  - Measured forwarding rate = 624 Mb/s
 Iteration 4
-  - Offering load = 437 Mb/s
+  - Offering load = 687 Mb/s
   - Step = 62 Mb/s
   - Trend = increasing
-  - Measured forwarding rate = 399 Mb/s
+  - Measured forwarding rate = 672 Mb/s
 Iteration 5
-  - Offering load = 406 Mb/s
+  - Offering load = 656 Mb/s
   - Step = 31 Mb/s
   - Trend = decreasing
-  - Measured forwarding rate = 399 Mb/s
+  - Measured forwarding rate = 655 Mb/s
 Iteration 6
-  - Offering load = 391 Mb/s
+  - Offering load = 671 Mb/s
   - Step = 15 Mb/s
-  - Trend = decreasing
+  - Trend = increasing
-  - Measured forwarding rate = 391 Mb/s
+  - Measured forwarding rate = 670 Mb/s
 Iteration 7
-  - Offering load = 398 Mb/s
+  - Offering load = 678 Mb/s
   - Step = 7 Mb/s
   - Trend = increasing
-  - Measured forwarding rate = 398 Mb/s
+  - Measured forwarding rate = 670 Mb/s
-Estimated Equilibrium Ethernet throughput= 398 Mb/s (maximum value seen: 399 Mb/s)
+Estimated Equilibrium Ethernet throughput= 670 Mb/s (maximum value seen: 672 Mb/s)
 </code>
-Using AES-GCM-128 and aesni kernel module loaded on the NetGate RCC-VE 4860, we can estimate an IPSec Equilibrium throughput of about 400Mb/s.
+Using AES-GCM-128 and aesni kernel module loaded on the NetGate RCC-VE 4860, we can estimate an IPSec Equilibrium throughput of about 672Mb/s.
 {{bench-ipsec-netgate-12head.png}}