Low speed on Wireguard vs IPSec

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

helio58

Regular Contributor
Hi,
I have set up Asus RT-AC86U (Merlin firmware) with experimental wireguard.

IPsec vpn enable on the router.

My connection 1000/1000 on the router side

My client running on a macbook connect to
250/100 internet connection.

When routing all traffic via tunnel I got this speeds.
The left is via IPSec , right wireguard.

Is there a setting I miss? in the first download speed in 10 times lower in wireguard .

Any ideas? Thanks

IPSEC.png
Wireguard.png
 

L&LD

Part of the Furniture
What RMerlin version of the firmware are you running exactly?

How are both endpoints connected? Wired or wireless?

From which end are you running the tests?
 

helio58

Regular Contributor
Hi sorry for the lack of information.
The RT-AC86U is running Merlin 384-15. This is the server with both IPSec and Wireguard.
Both endes connected wired.
I m running the test from a remote location.
Client turn on Wireguard run speedtest . Stop switch to IPSec client and run the speedtest.
When downloading say a 4GB file it takes 4 minutes with IPSec but 28-30 minutes with wireguard.
Most curious why this speed diferens ? Before I had just the same downloading time.
 

L&LD

Part of the Furniture
Why are you running such an outdated version of RMerlin firmware on the router?

Even the 386.1 Alpha 2 is stable enough to test with.



Do you reboot your Mac Book when switching between IPsec and Wireguard? Does a reboot in general fix anything?

Are you connected with both IPsec and Wireguard at the same time?
 

helio58

Regular Contributor
To be honest I have been away from home a long time. I want to be there when I update the router.
Yes I reboot several times but it did not fix.
No I m using one at a time.
One thing is the download of my connection with IPsec is good , and so is the upload when using wireguard.
Will see if I can test in another location.
Thanks for helping
 

Samir

Very Senior Member
It doesn't surprise me that ipsec is faster--most hardware is tuned for it and it's the standard in the enterprise.
 

RMerlin

Asuswrt-Merlin dev
It doesn't surprise me that ipsec is faster--most hardware is tuned for it and it's the standard in the enterprise.

In this particular case, it's also because his router has hardware crypto acceleration that gets leveraged by Strongswan, so it improves IPSEC performance even further.

Here's some old test results I've had from my IPSEC performance tests on an Asus RT-AC86U, comparing software vs hardware crypto (bcmspu is Broadcom's hardware crypto driver). Tests were done by running iperf through a tunnel established within my LAN (so over 1 Gbps Ethernet):

Code:
Downstream (bcmspu):
P:\Tools>iperf -c 192.168.1.51 -M 1400 -N -t 30
------------------------------------------------------------
Client connecting to 192.168.1.51, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[296] local 10.10.10.1 port 8334 connected with 192.168.1.51 port 5001
[ ID] Interval       Transfer     Bandwidth
[296]  0.0-30.0 sec  1.08 GBytes    309 Mbits/sec

CPU:  0.6% usr 64.6% sys  0.0% nic  8.2% idle  0.0% io  0.0% irq 26.4% sirq
Load average: 3.48 2.55 1.39 3/150 8377
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
  215     2 admin    RW       0  0.0   1 47.6 [pdc_rx]
  206     2 admin    RW       0  0.0   0 41.6 [bcmsw_rx]
  813     1 admin    S     8336  1.8   1  0.6 watchdog
  943     1 admin    S     4924  1.1   0  0.3 networkmap --bootwait


Upstream (bcmspu):
C:\Users\Eric\Documents>iperf -c 10.10.10.1 -M 1400 -N -t 30
------------------------------------------------------------
Client connecting to 10.10.10.1, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[296] local 192.168.1.51 port 2644 connected with 10.10.10.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[296]  0.0-30.0 sec    886 MBytes    248 Mbits/sec

CPU:  0.3% usr 67.1% sys  0.0% nic 12.2% idle  0.0% io  0.0% irq 20.3% sirq
Load average: 3.46 3.11 2.11 2/150 8645
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
  206     2 admin    RW       0  0.0   1 45.6 [bcmsw_rx]
  215     2 admin    RW       0  0.0   0 40.5 [pdc_rx]
  805     1 admin    S     8672  1.9   0  0.2 httpd -i br0


Downstream (software only)
P:\Tools>iperf -c 192.168.1.51 -M 1400 -N -t 30
------------------------------------------------------------
Client connecting to 192.168.1.51, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[292] local 10.10.10.1 port 1406 connected with 192.168.1.51 port 5001
[ ID] Interval       Transfer     Bandwidth
[292]  0.0-30.0 sec    475 MBytes    133 Mbits/sec

CPU:  0.1% usr 32.8% sys  0.0% nic 58.0% idle  0.0% io  0.0% irq  8.9% sirq
Load average: 3.16 2.99 2.44 3/150 8986
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
  206     2 admin    RW       0  0.0   0 40.7 [bcmsw_rx]
  805     1 admin    S     8672  1.9   1  0.2 httpd -i br0
  943     1 admin    R     4924  1.1   1  0.2 networkmap --bootwait
 


Upstream (software only)
C:\Users\Eric\Documents>iperf -c 10.10.10.1 -M 1400 -N -t 30
------------------------------------------------------------
Client connecting to 10.10.10.1, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[292] local 192.168.1.51 port 2851 connected with 10.10.10.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[292]  0.0-30.0 sec    381 MBytes    106 Mbits/sec

CPU:  0.2% usr 43.4% sys  0.0% nic 49.0% idle  0.0% io  0.0% irq  7.3% sirq
Load average: 3.12 2.97 2.38 3/152 8928
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
  206     2 admin    RW       0  0.0   0 49.7 [bcmsw_rx]
  805     1 admin    S     8672  1.9   1  0.2 httpd -i br0
  943     1 admin    R     4924  1.1   1  0.2 networkmap --bootwait



Downstream (AF_ALG + AARCH64 modules)
E:\Share>iperf -c 192.168.1.51 -M 1400 -N -t 30
------------------------------------------------------------
Client connecting to 192.168.1.51, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[292] local 10.10.10.1 port 1715 connected with 192.168.1.51 port 5001
[ ID] Interval       Transfer     Bandwidth
[292]  0.0-30.0 sec    835 MBytes    233 Mbits/sec
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top