documentation:examples:ipsec_performance_of_a_netgate_rcc-ve_4860
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
documentation:examples:ipsec_performance_of_a_netgate_rcc-ve_4860 [2017/09/04 01:23] – external edit 127.0.0.1 | documentation:examples:ipsec_performance_of_a_netgate_rcc-ve_4860 [2020/09/22 12:08] (current) – [Using IPSec bench "Equilibrium throughput" method] olivier | ||
---|---|---|---|
Line 17: | Line 17: | ||
< | < | ||
- | +---------------------+ | + | +---------------------+ |
- | | R1 | + | | R1 |
- | | | + | | |
- | | and receiver | + | | and receiver |
- | | | + | | |
- | |igb2: 198.18.0.201/ | + | |igb2: 198.18.0.201/ |
- | | | + | | |
- | | 00: | + | | 00: |
- | | | + | | |
- | | | + | | |
- | | | + | | |
- | | | + | | |
- | | | + | | |
- | | | + | | |
- | | | + | | |
- | | | + | | |
- | | | + | | |
- | | | + | | |
- | | | + | | |
- | |igb3: 198.19.0.201/ | + | | |
- | |2001: | + | | |
- | | | + | | |
- | +---------------------+ | + | |igb3: 198.19.0.201/ |
- | || | + | |2001: |
- | ==================================< | + | | |
+ | +---------------------+ | ||
+ | || || | ||
+ | ==================================< | ||
</ | </ | ||
===== Devices configuration ===== | ===== Devices configuration ===== | ||
Line 49: | Line 52: | ||
==== Netgate (DUT) ==== | ==== Netgate (DUT) ==== | ||
+ | / | ||
+ | < | ||
+ | # Loading AES-NI module sooner to be sure it is loaded before IPsec keys | ||
+ | aesni_load=" | ||
+ | </ | ||
Configure IP address, routes and static IPSec: | Configure IP address, routes and static IPSec: | ||
Line 58: | Line 66: | ||
static_routes=" | static_routes=" | ||
route_generator=" | route_generator=" | ||
- | route_receiver=" | + | route_receiver=" |
static_arp_pairs=" | static_arp_pairs=" | ||
static_arp_generator=" | static_arp_generator=" | ||
Line 70: | Line 78: | ||
ipv6_static_routes=" | ipv6_static_routes=" | ||
ipv6_route_generator=" | ipv6_route_generator=" | ||
- | ipv6_route_receiver=" | + | ipv6_route_receiver=" |
static_ndp_pairs=" | static_ndp_pairs=" | ||
static_ndp_generator=" | static_ndp_generator=" | ||
static_ndp_receiver=" | static_ndp_receiver=" | ||
+ | cloned_interfaces=" | ||
+ | create_args_ipsec0=" | ||
+ | ifconfig_ipsec0=" | ||
+ | ifconfig_ipsec0_ipv6=" | ||
- | # Enabling | + | # Enabling |
ipsec_enable=" | ipsec_enable=" | ||
- | |||
- | # Enabling AES-NI | ||
- | kld_list=" | ||
</ | </ | ||
Line 86: | Line 95: | ||
flush; | flush; | ||
spdflush; | spdflush; | ||
- | spdadd 198.18.0.0/ | + | add 198.18.1.203 198.18.1.209 esp 10000 -m tunnel -u 100 -E aes-gcm-16 " |
- | spdadd 198.19.0.0/ | + | add 198.18.1.209 198.18.1.203 esp 10001 -m tunnel -u 100 -E aes-gcm-16 " |
- | add 198.18.1.203 198.18.1.209 esp 0x1000 | + | |
- | add 198.18.1.209 198.18.1.203 esp 0x1001 | + | |
- | spdadd 2001:2::/49 2001: | + | |
- | spdadd 2001: | + | |
- | add 2001: | + | |
- | add 2001: | + | |
</ | </ | ||
==== R3 (Reference device) ==== | ==== R3 (Reference device) ==== | ||
+ | |||
+ | / | ||
+ | < | ||
+ | # Loading AES-NI module sooner to be sure it is loaded before IPsec keys | ||
+ | aesni_load=" | ||
+ | </ | ||
Configure IP address, routes and static IPSec. | Configure IP address, routes and static IPSec. | ||
Line 104: | Line 113: | ||
# IPv4 router | # IPv4 router | ||
gateway_enable=" | gateway_enable=" | ||
- | ifconfig_igb2=" | + | ifconfig_igb2=" |
- | ifconfig_igb3=" | + | ifconfig_igb3=" |
static_routes=" | static_routes=" | ||
- | route_generator=" | + | route_generator=" |
route_receiver=" | route_receiver=" | ||
static_arp_pairs=" | static_arp_pairs=" | ||
static_arp_generator=" | static_arp_generator=" | ||
- | static_arp_receiver=" | + | static_arp_receiver=" |
# IPv6 router | # IPv6 router | ||
Line 121: | Line 130: | ||
ipv6_static_routes=" | ipv6_static_routes=" | ||
- | ipv6_route_generator=" | + | ipv6_route_generator=" |
ipv6_route_receiver=" | ipv6_route_receiver=" | ||
static_ndp_pairs=" | static_ndp_pairs=" | ||
static_ndp_generator=" | static_ndp_generator=" | ||
- | static_ndp_receiver=" | + | static_ndp_receiver=" |
+ | cloned_interfaces=" | ||
+ | create_args_ipsec0=" | ||
+ | ifconfig_ipsec0=" | ||
+ | ifconfig_ipsec0_ipv6=" | ||
- | # Enabling | + | # Enabling |
- | kld_list=" | + | |
ipsec_enable=" | ipsec_enable=" | ||
</ | </ | ||
Line 137: | Line 149: | ||
flush; | flush; | ||
spdflush; | spdflush; | ||
- | spdadd 198.18.0.0/ | + | add 198.18.1.203 198.18.1.209 esp 10000 -m tunnel -u 200 -E aes-gcm-16 " |
- | spdadd 198.19.0.0/ | + | add 198.18.1.209 198.18.1.203 esp 10001 -m tunnel -u 200 -E aes-gcm-16 " |
- | add 198.18.1.203 198.18.1.209 esp 0x1000 | + | |
- | add 198.18.1.209 198.18.1.203 esp 0x1001 | + | |
- | spdadd 2001:2::/49 2001: | + | |
- | spdadd 2001: | + | |
- | add 2001: | + | |
- | add 2001: | + | |
</ | </ | ||
===== Using IPSec bench " | ===== Using IPSec bench " | ||
Once done, we start using a fast method for measuring the "IPsec equilibrium throughput" | Once done, we start using a fast method for measuring the "IPsec equilibrium throughput" | ||
- | |||
- | Notice that the reference device (IBM x3550-M3) used in front of the Netgate has a [[IPSec performance lab of an IBM System x3550 M3 with Intel 82580|equilibrium throughput of 843Mb/s]]. Then if the value measured during this bench is close to 843Mb/s we had to found a more powerful reference device. | ||
From the packet generator/ | From the packet generator/ | ||
< | < | ||
- | [root@R1]~# equilibrium | + | [root@R1]~# equilibrium -4 -u -d 00: |
Benchmark tool using equilibrium throughput method | Benchmark tool using equilibrium throughput method | ||
- Benchmark mode: Bandwitdh (bps) for VPN gateway | - Benchmark mode: Bandwitdh (bps) for VPN gateway | ||
Line 163: | Line 167: | ||
- Offering load = 500 Mb/s | - Offering load = 500 Mb/s | ||
- Step = 250 Mb/s | - Step = 250 Mb/s | ||
- | - Measured forwarding rate = 399 Mb/s | + | - Measured forwarding rate = 499 Mb/s |
Iteration 2 | Iteration 2 | ||
- | - Offering load = 250 Mb/s | + | - Offering load = 750 Mb/s |
- Step = 250 Mb/s | - Step = 250 Mb/s | ||
- | - Trend = decreasing | + | - Trend = increasing |
- | - Measured forwarding rate = 250 Mb/s | + | - Measured forwarding rate = 670 Mb/s |
Iteration 3 | Iteration 3 | ||
- | - Offering load = 375 Mb/s | + | - Offering load = 625 Mb/s |
- Step = 125 Mb/s | - Step = 125 Mb/s | ||
- | - Trend = increasing | + | - Trend = decreasing |
- | - Measured forwarding rate = 375 Mb/s | + | - Measured forwarding rate = 624 Mb/s |
Iteration 4 | Iteration 4 | ||
- | - Offering load = 437 Mb/s | + | - Offering load = 687 Mb/s |
- Step = 62 Mb/s | - Step = 62 Mb/s | ||
- Trend = increasing | - Trend = increasing | ||
- | - Measured forwarding rate = 399 Mb/s | + | - Measured forwarding rate = 672 Mb/s |
Iteration 5 | Iteration 5 | ||
- | - Offering load = 406 Mb/s | + | - Offering load = 656 Mb/s |
- Step = 31 Mb/s | - Step = 31 Mb/s | ||
- Trend = decreasing | - Trend = decreasing | ||
- | - Measured forwarding rate = 399 Mb/s | + | - Measured forwarding rate = 655 Mb/s |
Iteration 6 | Iteration 6 | ||
- | - Offering load = 391 Mb/s | + | - Offering load = 671 Mb/s |
- Step = 15 Mb/s | - Step = 15 Mb/s | ||
- | - Trend = decreasing | + | - Trend = increasing |
- | - Measured forwarding rate = 391 Mb/s | + | - Measured forwarding rate = 670 Mb/s |
Iteration 7 | Iteration 7 | ||
- | - Offering load = 398 Mb/s | + | - Offering load = 678 Mb/s |
- Step = 7 Mb/s | - Step = 7 Mb/s | ||
- Trend = increasing | - Trend = increasing | ||
- | - Measured forwarding rate = 398 Mb/s | + | - Measured forwarding rate = 670 Mb/s |
- | Estimated Equilibrium Ethernet throughput= | + | Estimated Equilibrium Ethernet throughput= |
</ | </ | ||
- | Using AES-GCM-128 and aesni kernel module loaded on the NetGate RCC-VE 4860, we can estimate an IPSec Equilibrium throughput of about 400Mb/s. | + | Using AES-GCM-128 and aesni kernel module loaded on the NetGate RCC-VE 4860, we can estimate an IPSec Equilibrium throughput of about 672Mb/s. |
- | {{bench-ipsec-netgate-12head.png}} | + | {{bench.netgate.ipsec.13head.png}} |
documentation/examples/ipsec_performance_of_a_netgate_rcc-ve_4860.1504480994.txt.gz · Last modified: 2017/09/04 01:23 by 127.0.0.1