pfSense IPsec Site-to-Site?

[IamSpartacus]

Can someone with experience setting up a site-to-site IPsec VPN between two pfSense boxes point me towards a good resource for how to do this? All my experience is with OpenVPN and I'm having trouble finding any documentation on how to get this setup between two pfSense 2.4.1 nodes.

 

[cesmith9999]

VPN Capability IPsec - PFSenseDocs

Chris

 

[Patrick]

There is a video for this in the pfSense Gold subscription area as well.

 

[IamSpartacus]

VPN Capability IPsec - PFSenseDocs

Chris

Thanks this was helpful though a bit dated.

There is a video for this in the pfSense Gold subscription area as well.

Not a Gold member but that's good to know.



I got the tunnel setup but I'm seeing pretty poor speeds. I've tried all sorts of combos with regard to the encryption/hash but nothing has really changed it to any serious degree. Only getting 120Mbps (constant) max throughput over my 1Gbps line. Not sure if I have a bottleneck or if it's my settings somewhere. Lower end CPU on 1 end is a J1900 and hits 37-40% usage when doing this 120Mbps test transfer. C2758 on the other end hits 18-20%.

 

[IamSpartacus]

So both iperf3 and SMB tranfers are showing the same throughput (125Mbps) across the tunnel. So as currently constructed that's definitely my ceiling. I just don't know if my endpoints SHOULD be able to handle more than that or not. I thought the J1900 would handle 250+Mbps IPsec but maybe not?

Either way it's clearly not going to handle 1Gbps. So the question is, will my C2758 handle it and what'st he lowest level C3000 series CPU that will handle it?

 

[chilipepperz]

Are you 100% sure it's b not B? And are you using multiple parallel transfers?

125MBps is common for 1gigabit

And if you're not using -p you can run out of steam before you hit 1g.

 

[whitey]

Me and a buddy noticed recently noticed poor throughput on ipsec tunnels, reverted back to ovpn tunnels, we played w/ ciphers and never really were happy w/ anything, ovpn definitely proved to be faster at least for us.

 

[IamSpartacus]

Are you 100% sure it's b not B? And are you using multiple parallel transfers?

125MBps is common for 1gigabit

And if you're not using -p you can run out of steam before you hit 1g.

Yes, it's definitely maxing at 125Mbps. No way the J1900 will handle 1Gbps VPN.

Me and a buddy noticed recently noticed poor throughput on ipsec tunnels, reverted back to ovpn tunnels, we played w/ ciphers and never really were happy w/ anything, ovpn definitely proved to be faster at least for us.

I'd love to use OpenVPN as it's easier to configure, not port specific, and can be tied to policy based routing. But it's single threaded and thus requires a high clocked CPU.

 

[marsboer]

I did a test now on my C2758 @ home, but the fastest IPsec link I had to test with was "only" 200 mbit/s. C2758 had no issues with that and I got a throughput of 200 mbit/s without issues. Actually it is a GRE tunnel over IPsec, because gre interfaces are so much easier to deal with for everything related to policy routing, firewalls, traffic monitoring etc. I am running AES128-GCM with strongswan on Debian 9.2 (Stretch), _not_ pfsense.

It is using about 25 to 35% of one CPU core to push 200 mbit/s continously. Note that GRE and tc (I do traffic shaping of my links) is adding more load per packet, so pure IPsec setups can reach quite a bit higher throughput than mine with less CPU load. My edgerouter lite performance is halved when introducing GRE into the mix, even with hardware accel of both ipsec and GRE, and traffic shaping is just not usable at all as that is pure software (HTB at higher speeds is CPU intensive on weak platforms).

 

[IamSpartacus]

I did a test now on my C2758 @ home, but the fastest IPsec link I had to test with was "only" 200 mbit/s. C2758 had no issues with that and I got a throughput of 200 mbit/s without issues. Actually it is a GRE tunnel over IPsec, because gre interfaces are so much easier to deal with for everything related to policy routing, firewalls, traffic monitoring etc. I am running AES128-GCM with strongswan on Debian 9.2 (Stretch), _not_ pfsense.

It is using about 25 to 35% of one CPU core to push 200 mbit/s continously. Note that GRE and tc (I do traffic shaping of my links) is adding more load per packet, so pure IPsec setups can reach quite a bit higher throughput than mine with less CPU load. My edgerouter lite performance is halved when introducing GRE into the mix, even with hardware accel of both ipsec and GRE, and traffic shaping is just not usable at all as that is pure software (HTB at higher speeds is CPU intensive on weak platforms).

Interesting results. Thank you for this.

I'm trying to see what my core usage is when I hit this 125Mbps limit right now but I'm having trouble deciphering the top -P command in FreeBSD. Am I just looking for the % system usage?

 

[IamSpartacus]

I think I'm going to setup a test bed between my workstation (i3-6100) and the C2758 and see what kind of results I get.

 

[marsboer]

I only used htop which have per cpu usage visualization in addition to the usual top stuff.

Normally you can press '1' in top (on Linux at least) to get per CPU stats, and you can toggle between "100% CPU usage is all cores at 100%" or "one core at full load equals 100%", or Irix mode, with I (capital i). The last one is the %CPU field per process.

This is the normal behaviour on Linux. Not sure if FreeBSD top is different.

For network load testing i just used iperf3 at default settings on both server and client (no massive windows sizes etc) and only a single stream. The C2758 box was just doing router/firewall/VPN/traffic shaping duty, not terminating the actual TCP session for the iperf3 test.

 

[epicurean]

is OpenVPN site to site easier to configure and maintain than IPSEC?

 

[marsboer]

is OpenVPN site to site easier to configure and maintain than IPSEC?

OpenVPN is much easier to configure for most people. Neither OpenVPN or IPsec requires much maintenance after setup, except the occasional certificate renewal in some setups.

They are not really comparable though. IPsec is much more efficient and scales significantly better, so there is a reason why IPsec-based VPNs is used for site-to-site in enterprise networks. IPsec is often used with GRE, alternatively used in VTI mode, so you get an interface and can run routing protocols over the links.

Personally I use IPsec for all site-to-site infrastructure VPNs for this reason, as I have full control of the equipment in each end.

With roadwarrior user access VPNs, where performance is not as important as within your infrastructure, I often find it easier to just throw in OpenVPN. The benefit is that you reuse the configuration method on all platforms. While IPsec is often natively supported by the OS, you have to find out how to set things up for each platform.

I do wish that VPN-providers you can subscribe to would provide IPsec tunnels though, just for performance reasons, but I can understand why they don't, thinking of all the support tickets they would get..

 

[marsboer]

Also: Wireguard will perhaps be the VPN of choice for both use cases in near future

 

[IamSpartacus]

According to Netgate's page for their C2758 appliance, they say it can only do 160Mbps over IPsec WITHOUT AES-NI. To me it makes no sense that they would not document how fast it can be with AES-NI enabled since the CPU support it along with QA.

So the question is, how much will AES-NI impact performance?

 

[cheezehead]

According to Netgate's page for their C2758 appliance, they say it can only do 160Mbps over IPsec WITHOUT AES-NI. To me it makes no sense that they would not document how fast it can be with AES-NI enabled since the CPU support it along with QA.

So the question is, how much will AES-NI impact performance?

I've heard of people using the supermicro variant and being able to tunnel a full GB fios link before.

 

[IamSpartacus]

I've heard of people using the supermicro variant and being able to tunnel a full GB fios link before.

I've been searching high and wide for such results. Any idea where these people are?!?!

 

[OBasel]

AES is huge for this I believe

 

[audio catalyst]

OpenVPN is much easier to configure for most people. Neither OpenVPN or IPsec requires much maintenance after setup, except the occasional certificate renewal in some setups.

They are not really comparable though. IPsec is much more efficient and scales significantly better, so there is a reason why IPsec-based VPNs is used for site-to-site in enterprise networks. IPsec is often used with GRE, alternatively used in VTI mode, so you get an interface and can run routing protocols over the links.

Personally I use IPsec for all site-to-site infrastructure VPNs for this reason, as I have full control of the equipment in each end.

With roadwarrior user access VPNs, where performance is not as important as within your infrastructure, I often find it easier to just throw in OpenVPN. The benefit is that you reuse the configuration method on all platforms. While IPsec is often natively supported by the OS, you have to find out how to set things up for each platform.

I do wish that VPN-providers you can subscribe to would provide IPsec tunnels though, just for performance reasons, but I can understand why they don't, thinking of all the support tickets they would get..

Thank god most modern ipsec implementation nowadays have no need for seperated GRE anymore when using vti..



send from a mobile device, so typo's are to be expected