mirror of
https://github.com/opnsense/docs.git
synced 2026-05-28 04:02:12 -04:00
VPN / IPsec - tuning consideration when using IPsec
This commit is contained in:
Ad Schellevis
parent
b5ea9dce07
commit
80f2f225c4
1 changed files with 22 additions and 0 deletions
|
|
@ -95,6 +95,28 @@ to the many different implementation types.
|
|||
how-tos/ipsec-rw
|
||||
|
||||
|
||||
.................................
|
||||
Tuning considerations
|
||||
.................................
|
||||
|
||||
Depending on the workload (many different IPsec flows or a single flow), it might help to enable multithreaded crypto mode
|
||||
on :code:`ipsec`, in which case cryptographic packets are dispatched to multiple processors.
|
||||
In order to do so, add or change the following tunable in :menuselection:`System --> Settings --> Tunables`:
|
||||
|
||||
.. Note::
|
||||
|
||||
:code:`net.inet.ipsec.async_crypto` = **1**
|
||||
|
||||
Sometimes it helps if `netisr <https://www.freebsd.org/cgi/man.cgi?format=html&query=netisr(9)>`__ threads are bound to the same cpu
|
||||
they where initiated on, in which case load shifts less between cores. Since by default the kernel uses a single thread to dispatch
|
||||
the work to be done, we might also consider increasing the number of workers to the number of cores available in the machine.
|
||||
|
||||
.. Note::
|
||||
|
||||
* :code:`net.isr.bindthreads` = **1**
|
||||
* :code:`net.isr.maxthreads` = **-1** <-- equal the number of cores in the machine
|
||||
|
||||
|
||||
.................................
|
||||
Diagnostics
|
||||
.................................
|
||||
|
|
|
|||
Loading…
Reference in a new issue