OPNsense IPsec performance test results

The free firewall solution OPNsense offers various options for configuring a VPN connection. By default OPNsense supports IPsec and OpenVPN connections. These techniques can be used, among other things, for the static connection of two sites via a site-to-site connection. The choice of encryption technique depends strongly on the required throughput. This article shows the results of our IPsec performance tests with iperf using a site-to-site connection. The VPN performance was also tested with OpenVPN. You can find detailed results in the Wiki article OPNsense OpenVPN performance tests.

Performance comparison Thomas-Krenn LES compact 4L and LES network+.

Test setup

The test setup for these tests consists of two OPNsense firewall systems with one client system each on the LAN side. The two firewalls are connected to a switch with the respective WAN interface. The current OPNsense version was used on both firewalls at the time of the test. On the client systems the current Ubuntu Server LTS was used at the time of the test. Further details and a detailed list can be found in the sections with the test results.

Test settings

This section lists the components used, the parameters used and the test procedure.

Test software

For the speed tests the tool iperf version 2.0.10 was used on the clients.

$ iperf -v
iperf version 2.0.10 (2 June 2018) pthreads

Test parameter

All tests were performed with the following parameters:

Server: iperf -p 5000 -f m -s
Client: iperf -p 5000 -f m -c <IP-des-Servers> -t 180 -P 10

Test procedure

Iperf was started in server mode on Client 1 of Site 1. Then iperf was started in client mode on the client side. This made it possible to determine the upload speed from the client side to the server side. To measure the download performance, the server side and client side were swapped. 10 upload and 10 download tests were performed. The values were added and the mean value was calculated. The same applies to the measured load of the systems.

IPsec settings

The IPsec parameters used are based on the technical guideline TR-02102-3 of the BSI:^[1]

Phase 1
- Key exchange version: v2
- Authentication method: Mutual PSK
- Encryption algorithm: 128 bit AES-GCM with 128 bit ICV
- Hash Algorithm: SHA256
- PFS key group: DH Group 28 (Brainpool EC 256 bits)
Phase 2
- Encryption algorithms: aes128gcm16
- Hash Algorithms: nothing selected
- PFS key group: DH Group 28 (Brainpool EC 256 bits)

Test results IPsec

The following sections break down the results according to the firewall devices used and tabulate the results.

Setup with Supermicro X11SSH-LN4F and Thomas-Krenn LES compact 4L

The following table shows the components of the test with the Supermicro X11SSH-LN4F and Thomas-Krenn LES compact 4L:

Application purpose	Hardware	BIOS informations	Software
Firewall Site 1	Motherboard: Supermicro X11SSH-LN4F CPU: Intel Xeon E3-1230 v6 (4 cores) RAM: 4 GB	Version: 2.2 BIOS Settings Hyper-threading: Disabled	OPNsense version: OPNsense 19.1.7-amd64 FreeBSD 11.2-RELEASE-p9-HBSD OpenSSL 1.0.2r 26 Feb 2019
Firewall Site 2	Thomas-Krenn LES compact 4L CPU: Intel Celeron J3160 (4 cores) RAM: 2 GB	Version: BSW4L004
Client Site 1	Motherboard Supermicro X10SLH-F CPU: Intel Celeron G1820T (2 cores) RAM: 4 GB	Version: 3.0	Ubuntu Server version: 18.04.2 Kernel 4.15.0-47
Client Site 2	Motherboard: Asus P9D-MV CPU: Intel Celeron G1820T (2 cores) RAM: 2 GB	Version: 2101	Ubuntu Server version: 18.04.2 Kernel 4.15.0-47

Test results Thomas-Krenn LES compact 4L

In this table you will find the values determined by us during the tests of an IPsec site-to-site connection with Firewall 1 (Supermicro X11SSH-LN4F and Firewall 2 (Thomas-Krenn LES compact 4L). Tests with Hyper-Threading enabled were not performed because the CPU of the LES compact 4L does not support this. All measurement results were determined from the mean value of 10 passes.

Test without Hyper-Threading	Throughput download on LES LES compact 4L: decrypts X11SSH-LN4F: encrypts	Throughput upload on LES LES compact 4L: encrypts X11SSH-LN4F: decrypts
Throughput	324,5 Mbits/sec	403,2 Mbits/sec
Load on LES compact 4L (vmstat -w 180 -c 2)	us - sy - id 1 - 52,8 - 46,4	us - sy - id 1,4 - 68,8 - 29,8
Load on X11SSH-LN4F (vmstat -w 180 -c 2)	us - sy - id 0,4 - 10 - 89,6	us - sy - id 1 - 8,4 - 91

The results of the individual test rounds are summarized in a zip archive.

Setup with Supermicro X11SSH-LN4F and Thomas-Krenn LES network+

The following table shows the components of the test with the Supermicro X11SSH-LN4F and Thomas-Krenn LES network+:

Application purpose	Hardware	BIOS informations	Software
Firewall Site 1	Motherboard: Supermicro X11SSH-LN4F CPU: Intel Xeon E3-1230 v6 (4 cores) RAM: 4 GB	Version: 2.2 BIOS settings Hyper-threading on \| off	OPNsense version: OPNsense 19.1.6-amd64 FreeBSD 11.2-RELEASE-p9-HBSD OpenSSL 1.0.2r 26 Feb 2019
Firewall Site 3	Thomas-Krenn LES network+ CPU: Intel Core i5-6300U (2 cores) RAM: 4 GB	Version: BF551TK6 ME Version 11.8.60 BIOS settings Hyper-threading on \| off Load Optimized Settings
Client Site 1	Motherboard Supermicro X10SLH-F CPU: Intel Celeron G1820T (2 cores) RAM: 4 GB	Version: 3.0	Ubuntu Server version: 18.04.2 Kernel 4.15.0-47
Client Site 3	Motherboard: Asus P9D-MV CPU: Intel Celeron G1820T (2 cores) RAM: 2 GB	Version: 2101	Ubuntu Server version: 18.04.2 Kernel 4.15.0-47

Test results Thomas-Krenn LES network+

In this table you will find the values determined by us during the tests of an IPsec site-to-site connection with Firewall 1 (Supermicro X11SSH-LN4F) and Firewall 3 (Thomas-Krenn LES network+). In this test setup, the tests were performed with Hyper-Threading activated on both firewalls and deactivated on both sides. All measurement results were determined from the mean value of 10 passes.

Note: The parameters used for the IPsec connection fully exploit the Gigabit network connection, both with and without hyper-threading:

Test without Hyper-Threading	Throughput download on LES LES network+: decrypts X11SSH-LN4F: encrypts	Throughput upload on LES LES network+: encrypts X11SSH-LN4F: decrypts
Throughput	877,1 Mbits/sec	877 Mbits/sec
Load on LES network+ (vmstat -w 180 -c 2)	us - sy - id 3,5 61,4 35	us - sy - id 2,9 60,2 37
Load on X11SSH-LN4F (vmstat -w 180 -c 2)	us - sy - id 0,1 19 80,7	us - sy - id 0 19,5 80,2

Test with Hyper-Threading	Throughput download on LES LES network+: decrpyts X11SSH-LN4F: encrypts	Throughput upload on LES LES network+: encrypts X11SSH-LN4F: decrypts
Throughput	877 Mbits/sec	877 Mbits/sec
Load on LES compact 4L (vmstat -w 180 -c 2)	us - sy - id 2,1 34 63,8	us - sy - id 3 39 58,1
Load on X11SSH-LN4F (vmstat -w 180 -c 2)	us - sy - id 0 10,8 89,1	us - sy - id 0 11 88,6

The results of the individual test rounds are summarized in a zip archive.

Notes on the Standard Gateway

In this test setup, the two test firewalls were each operated on a switch using an RJ45 patch cable. The two firewalls were located in the office network and the gateway was the office firewall (also with OPNsense installed). With the IPsec tunnel settings 128 bit AES-GCM with 128 bit ICV, it was noticed during the iperf test procedure that all traffic runs via the standard gateway by default. With these settings, the transmission speed was so high that the rest of the network traffic was lost and the web interface of the office firewall was no longer reactive. To prevent all data traffic from running through the default gateway, the entry Auto-detect should be selected in the section Interfaces -> WAN at the line IPv4 Upstream Gateway. In addition, the entry for the default gateway was removed during the tests under System -> Gateways -> Single.

Findings of the tests

The configured IPsec parameters utilize the gigabit connection of the WAN connection to capacity when using an X11SSH-LN4F motherboard and LES network+.

The results of the tests with IPsec can be summarized with the following points:

Significantly higher performance than OpenVPN
128 bit AES-GCM utilized the Gigabit network connection to capacity (with and without Hyper-Threading)
IPsec benefits from Hyper-Threading (About half the CPU load (sy - system time) of the LES network+ compared to the test without Hyper-Threading)

Further information

What's the difference between AES-CBC and AES-GCM? (privateinternetaccess.com, 05.10.2018)
AES-NI SSL Performance (calomel.org, 08.11.2018)

References

↑ BSI TR-02102-3 "Kryptographische Verfahren: Verwendung von Internet Protocol Security (IPsec) und Internet Key Exchange (IKEv2)" Version: 2019-01 (bsi.bund.de, 25.01.2018)

Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.

[1] BSI TR-02102-3 "Kryptographische Verfahren: Verwendung von Internet Protocol Security (IPsec) und Internet Key Exchange (IKEv2)" Version: 2019-01 (bsi.bund.de, 25.01.2018)

[1]