How Much Difference Does an FPU Make for IPSec?

This should be a simple question to answer, right? I have an IPSec VPN host on a Pi2. Copying a simple 6MB file out to my blog host nets the following result:

24Mbit/s is not too shabby, all things considered. That said, I have a 200Mbit/s uplink here, so I’m guessing we can do considerably better. There are two things that can easily be done to improve this: go to hardware floating point, and upgrade the VPN router to a Pi 3.

I’m really curious about the impact of hardware floating point on IPSec (AES seems to use it based on five seconds of research, but I could easily be wrong). Seems like a good place to start, so let’s set up a new VPN server on a CentOS/ARM install. The procedure isn’t all that complicated really:

  • Install the minimal image on an unused card and fire it up on an unused Pi.
  • Remove the NetworkManager and NetworkManager-libnm packages and update the network config to work without it (NetworkManager is more trouble than it’s worth).
  • Do a yum upgrade to get the latest stuff.
  • Install ipa-client and change the root password.
  • Remove firewalld and install iptables-services (Firewalld has at least one serious security issue I’ve run into and doesn’t handle routing well — or at all, really).
  • Copy iptables configs over and enable it.
  • Install libreswan and copy the VPN configs over.
  • Add net.ipv4.ip_forward=1 to /etc/sysctl.d/51-vpn.conf

With that done, it’s time to try the card in the Pi2. Okay, no problem. Shut both hosts down, swap the cards, boot the new host, and we’re set. And we have a new kernel:

Excellent! Now we can finish up the configuration —

  • Join to the IPA domain
  • Enable and start ipsec and iptables

— and we’re ready to go. We repeat the same test from above, and we get:

Look familiar?



Leave a comment: