With an IPsec connection with a FortiGate and RUT241 using AES-256P1 and AES-128P2, I’m not seeing any performance improvement by enabling IPsec software flow offload (new feature).
Is there a setting that I might have missed?
Running RUT2M_R_00.07.11.3 firmware.
Seeing around 10-11Mbps in both directions and the CPU is at 100% during the test.
Tested using iperf3 from the units CLI.
If I use iperf3 without going over the VPN I see around 30-40Mbps, so looks like the encryption overhead is dragging the performance down.
@stephenevans If you do not need the tunnel itself to provide encryption (e.g. if data is sufficiently secure by the time it hits the wire, for example TLS) then you might consider trying a GRE tunnel. That should be a lot lighter on the CPU.
There might be some confusion with the feature when comparing speeds using iperf3 on the device, which is why you don’t see any difference. IPsec software flow offload, like other flow offloading features, only works in forwarding scenarios, for example, when the iperf3 client is running from a LAN device instead of directly on the router.
Also, there are a few partially supported options, like “UDP encapsulation” and “Route-based IPsec”, which might result in a smaller performance difference.
Currently, we support and use cryptographic accelerators on the RUTM (AES-CBC, partial AES-GCM) and RUTC (AES-CBC, AES-GCM) families. In the near future, support will be added for RUTX (AES-CBC, partial AES-GCM).
With the 7.13 release, ChaCha20-Poly1305 support will be introduced, which will provide significantly better performance on the RUT241 compared to AES-CBC or AES-GCM.
I hope this clears things up! Let me know if you have any questions.