From 80f2f225c425b08db8783cae4f7b9dcd256b0f01 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Thu, 15 Dec 2022 13:48:22 +0100 Subject: [PATCH] VPN / IPsec - tuning consideration when using IPsec --- source/manual/vpnet.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/source/manual/vpnet.rst b/source/manual/vpnet.rst index aecb729e..081da122 100644 --- a/source/manual/vpnet.rst +++ b/source/manual/vpnet.rst @@ -95,6 +95,28 @@ to the many different implementation types. how-tos/ipsec-rw +................................. +Tuning considerations +................................. + +Depending on the workload (many different IPsec flows or a single flow), it might help to enable multithreaded crypto mode +on :code:`ipsec`, in which case cryptographic packets are dispatched to multiple processors. +In order to do so, add or change the following tunable in :menuselection:`System --> Settings --> Tunables`: + +.. Note:: + + :code:`net.inet.ipsec.async_crypto` = **1** + +Sometimes it helps if `netisr `__ threads are bound to the same cpu +they where initiated on, in which case load shifts less between cores. Since by default the kernel uses a single thread to dispatch +the work to be done, we might also consider increasing the number of workers to the number of cores available in the machine. + +.. Note:: + + * :code:`net.isr.bindthreads` = **1** + * :code:`net.isr.maxthreads` = **-1** <-- equal the number of cores in the machine + + ................................. Diagnostics .................................