IPsec VPN encryption performance

Hello,
what is the most effective IPsec encryption algorithm for MIPS 24Kc V7.4 cpu related boards? It seems 3des which is the default setting consumes lots of cpu cycles.

Yes it does; But the biggest issue (at least in our case) was the hash-algorithm.
We got 3 times the throughput by switching from sha1 to md5.
Maybe this will help in your case too.

I have recently switched from 3des to aes-128 and md5 on my networks after switching to ftth, because rb751g-2hnd units I have on a few locations with 10mbit/s ftth could not handle more than 6mbit/s over ipsec (100% CPU) in my case, now they can handle 10mbit/s of our typical traffic with about 75% cpu load, so increase in performance is great with aes-128.
Would be nice to see some real tests data with 64/512/1518 byte frames but I couldn’t find any. Haven’t tried camellia yet, but I believe CPU consumption should be similar to aes.

This is an old thread, but I’ve been googling for almost an hour and I’m unable to find recent info about this topic.

Here’s the info for anyone that’s curious. I’ve tested a Mikrotik HEX LITE running version 7.15.3 stable. The test consisted of transferring a large folder from my laptop at home to my desktop at the office (both sites have a 300Mbps fiber connection to the internet). The Mikrotik HEX LITE is located in the office. There’s no Mikrotik at home. My laptop at home dials the VPN to the Mikrotik router at the office, which is directly connected by an ethernet cable to my office desktop computer.

IMPORTANT: The client for Wireguard is the one downloaded from the official website, and the client for L2TP/IPSec is the built-in one included by Microsoft in Windows

Both computers are running Windows 10 and my laptop has the DWORD value AllowL2TPWeakCrypto set to 1 in this registry key:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters]

Test with WIREGUARD:

  • CPU usage hovers around 90-95%
  • Network throughput around 49 Mbit/s

Test with L2TP/IPSec and AES-128 with SHA-1:

  • CPU usage constantly pegged at 100%
  • Network throughput around 25 Mbit/s

Test with L2TP/IPSec and Single-DES with MD5:

  • CPU usage constantly pegged at 100%
  • Network throughput around 24 Mbit/s

Test with L2TP/IPSec and Single-DES with SHA-1:

  • CPU usage constantly pegged at 100%
  • Network throughput around 23 Mbit/s

Test with L2TP/IPSec and Triple-DES with MD5:

  • CPU usage constantly pegged at 100%
  • Network throughput around 13 Mbit/s

Test with L2TP/IPSec and Triple-DES with SHA-1:

  • CPU usage constantly pegged at 100%
  • Network throughput around 12 Mbit/s

NOTE: Please note that I’ve not been able to test AES-128 with MD5 because Windows will not connect. I always get an error no matter how hard I try :frowning: