Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 0 replies
  • Subscribers 27 subscribers
  • Views 3934 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 125 and IPSec : how to activate AES-NI CPU-base acceleration?

PJ Douillard

Hello forum, my first post here!  I didn't find any suitable answer anywhere so I decided to post here.

I am playing with Sophos firewall since a few weeks now (Software XG on ESXi - and now with a real device), and I am trying to find out the max speed of the XG 125 with IPSec Site-to-Site VPN.

Of all my tests, I can only achieve ~240Mbs over a 1 Gbs connection with the XG 125 and a VM running the software version of XG.

 

* Tests part 1

- In ESXi, 2 VMs connected over the same virtual switch gets me around ~5.5 Gbs of pure transfert speed with iperf3 (server is an HP DL380 G7 with 2 x Xeon X5650)

- Two Sophos XG VM with all virtual switching, an IPSec Site-to-Site VPN (using the wizard and the default IPSec policies for HQ and Branch) and iperd3 gave me ~240Mbs.

 

* Tests part 2

- I decided to setup 2 pfSense VM and get a similar IPSec Site-to-Site VPN up and I could reach ~320 Mbs between those two (FreeBSD network stack is the best, Linux still needs to catch up on that front so that's why there is a speed boost somehow)

- With the Xeons, I knew they had cryptographic AES-NI capabilities, so in pfSense, I activated both and boom, iperf3 gave me ~1Gbs speed between the VMs on the virtual network. Very good!

==> Where is that 'switch' in Sophos XG ?  The 125 XG is equipped with an Intel Atom C3508 that sports the smae AES-NI capabilities, so I'd really like to use that crypto-offloading to accelerate the encryption/decrytion.

 

* Tests part 3

- Today we received our first XG 125 for a client, so I started to prep it and do some testings, and IPSec was one of the tests.  So I setup another IPSec Site-To-Site between the XG 125 and one of the Sophos XG VM and sadly, I could just get up to the same ~240 Mbs.

- Then, I mixed up the firewalls : IPSec Site-to-Site VPN between pfSense (VM with the crypto-acceleration active) and the XG 125. Again, just got around ~240Mbs of throughput.

 

So now, for me, it seems obvious that the AES-NI cpu-based acceleration of the Atom C3508 isn't used by the XG 125 for IPSec.  I don't know if these forums are read by technical staff at Sophos, but I would really like to know what I must do to activate AES-NI hardware crypto offloading.

 

Thx!

 



This thread was automatically locked due to age.