Quantcast
Channel: EdgeRouter topics
Viewing all articles
Browse latest Browse all 20028

ERL Slow ipsec Performance

$
0
0

Hello everyone,
I am currently testing an ipsec site2site tunnel with my Edgerouter Lite and a Linux server.

The Tunnel itself is working, but the Performance is quite Bad.

With Iperf i get around 48 Mbits/sec, while the CPU Cores are running at 100% with ksoftirqd using most of the ressources.

 

I Think the Hardwareoffloading is not working, but it should be enabled:

$ show ubnt offload

IP offload module   : loaded
IPv4
  forwarding: enabled
  vlan      : enabled
  pppoe     : enabled
  gre       : disabled
IPv6
  forwarding: enabled
  vlan      : enabled
  pppoe     : disabled

IPSec offload module: loaded

Traffic Analysis    :
  export    : enabled
  dpi       : enabled

 

 

My Config:

 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
    }
    ipv6-name IPv6_WAN_IN {
        default-action drop
        description "IPv6 packets from the Internet to LAN"
        enable-default-log
        rule 1 {
            action accept
            description "Allow established sessions"
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 5 {
            action accept
            description "Allow ICMPv6"
            log disable
            protocol icmpv6
        }
    }
    ipv6-name IPv6_WAN_LOCAL {
        default-action drop
        description "IPv6 packets from the Internet to the router"
        enable-default-log
        rule 1 {
            action accept
            description "Allow established sessions"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log disable
            state {
                invalid enable
            }
        }
        rule 5 {
            action accept
            description "Allow ICMPv6"
            log disable
            protocol icmpv6
        }
        rule 110 {
            action accept
            description "Allow DHCPv6 packets"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_OUT {
        default-action reject
        description "Allow LAN"
        rule 1 {
            action accept
            description "Allow internet"
            destination {
            }
            log disable
            protocol all
            source {
                group {
                    address-group NETv4_eth1
                }
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type pppoe
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description External
        duplex auto
        ip {
        }
        speed auto
        vif 7 {
            description "Internet VLan"
            pppoe 1 {
                default-route auto
                dhcpv6-pd {
                    pd 0 {
                        interface eth1 {
                            host-address ::dead
                            no-dns
                            prefix-id 42
                            service slaac
                        }
                        prefix-length 56
                    }
                    prefix-only
                    rapid-commit enable
                }
                firewall {
                    in {
                        ipv6-name IPv6_WAN_IN
                        name WAN_IN
                    }
                    local {
                        ipv6-name IPv6_WAN_LOCAL
                        name WAN_LOCAL
                    }
                    out {
                        name WAN_OUT
                    }
                }
                ipv6 {
                    address {
                        autoconf
                    }
                    dup-addr-detect-transmits 1
                    enable {
                    }
                }
                mtu 1492
                name-server auto
                password *****
                user-id *****
            }
        }
    }
    ethernet eth1 {
        address 10.23.123.1/24
        address 192.168.0.10/24
        description Local
        duplex auto
        ipv6 {
            dup-addr-detect-transmits 1
        }
        speed auto
    }
    ethernet eth2 {
        description "Local 2"
        duplex auto
        speed auto
        vif 10 {
            address 172.16.0.1/24
            description Backstage
        }
    }
    loopback lo {
    }
}
protocols {
    static {
    }
}
service {
    dns {
        forwarding {
            cache-size 500
            listen-on eth1
        }
    }
    gui {
        http-port 80
        https-port 443
        listen-address 10.23.123.1
        older-ciphers enable
    }
    nat {
        rule 5001 {
            description "ipsec exclude"
            destination {
                address 10.23.110.0/24
            }
            exclude
            log disable
            outbound-interface pppoe1
            protocol all
            source {
                address 10.23.123.0/24
            }
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN"
            log disable
            outbound-interface pppoe1
            protocol all
            source {
                address 10.23.123.0/24
                group {
                }
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
}
system {
    domain-name *****
    host-name *****
    login {
        user ubnt {
            full-name ""
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            pppoe enable
            vlan enable
        }
        ipv6 {
            forwarding enable
            pppoe disable
            vlan enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        esp-group esp1 {
            compression disable
            lifetime 1200
            mode tunnel
            pfs disable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group groupa {
            ikev2-reauth no
            key-exchange ikev2
            lifetime 3600
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        logging {
            log-level 0
        }
        site-to-site {
            peer ***** {
                authentication {
                    id *****
                    mode x509
                    remote-id *****
                    rsa-key-name *****
                    x509 {
                        ca-cert-file *****
                        cert-file *****
                        key {
                            file *****
                        }
                    }
                }
                connection-type initiate
                default-esp-group esp1
                ike-group groupa
                ikev2-reauth inherit
                local-address any
                tunnel 0 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group esp1
                    local {
                        prefix 10.23.123.0/24
                    }
                    remote {
                        prefix 10.23.110.0/24
                    }
                }
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */

Can anyone Help me debug this situation ?

 

Thanks in Advance!


Viewing all articles
Browse latest Browse all 20028

Trending Articles