Other (about technical) How to achieve IPSec throughput above 2 Gbit/s

Hello forum,

(1) As stated in the subject, how to achieve IPSec throughput above 2 Gbit/s?

(2) Has anyone run IPSec and successfully hit IPSec throughput above 2 Gbit/s?

(3) Which FreeBSD version would be recommended for this scenario?

(4) What should be tune in /boot/loader.conf ?
(Our current configuration in /boot/loader.conf )

(5) What should be tune in /etc/sysctl.conf ?
(Our current configuration in /etc/sysctl.conf )

The topology would just simple like this:

Svr-Test1 10G----10G Svr-FreeBSD1 10G----IPSec----10G Svr-FreeBSD2 10G----10G Svr-Test2

There are 4 servers available for me to test this scenario, all are the same:
- 2x NIC 10G
- Xeon E5-2630L 2.4GHz (24 logical processors)
- RAM 64GB
- SSD 128GB

But when I test with iperf3 (iperf3 -c x.y.w.z -b 2000000000), the throughput was stuck at 120Mbit/s, with encryption AES128 authentication SHA1. But if we turn-off the IPSec both sides, we can get throughput around 7 Gbit/s.

What can we do with FreeBSD to achieve high throughput of IPSec? Or, do we need to buy a PCI card for high throughput IPSec? Which one is that?

(apologies for my bad English, as I'm not a native English)

Big Thanks!

And finally, pfSense will move to use even more advanced encryption techniques for IPsec, TLS and OpenVPN. It should be well-known by now that Netgate and the FreeBSD Foundation co-sponsored a project to enable AES-GCM for IPsec, enabling faster encryption speeds on Intel and AMD processors that support AES-NI instructions. On a pair of fast quad core Xeon systems we can run IPsec at over 2Gbps now. More speed is possible, and I expect the first results showing this to be a port of Intel’s “QuickAssist”. On a C2758, this should provide around 8Gbps of IPsec throughput.

It's possible but I'm not sure whether it's just a case of tweaking settings or if it needs more heavy handed tuning.