WireGuard vs IPSec performance

RouterOS General
1

I have done some testing with a commercial VPN provider using hAP ac2. The providers supports both WireGuard and IKEv2 IPSec, and I was curious to see how IPSec hardware acceleration comes into play. I used a computer with a static IP that was routed through VPN, using routing rules for WireGuard and srcnat for IPSec (to make it match the policy). Tested one scenario at a time, having disabled the other configuration.

The outcome was not what I would expect. Both options saturated my 120Mbit WAN link, so that is not a concern. With IPSec I saw one CPU core on the router hitting 70-80%, occasionally 90%. Profiling showed most CPU time on networking category. Other cores were much less used, the 4th core being hardly used at all. Overall utilization was 35-40%.
In the installed SA window I saw EH - HW-AEAD, which indicates the encryption was hardware accelerated.

With WireGuard overall CPU utilization was higher as expected, 50-60%, but it utilized all cores much better. Top core was 60-70% - lower than with IPSec. Top two cores were almost equally loaded. Profiling showed unclassified as the top category; wireguard category only a few percent. Because I don’t have to disable fasttrack with WireGuard, I watched that firewall rule graph as well. There was some fasttracking, around 3-8Mbps, some of it was likely other traffic on the network. But not enough to make a big impact on CPU in this particular test.

I have a few dozen firewall rules, queue trees enabled on interface HTB, and fasttracked enabled. For IPSec connection I had to add a rule to bypass fasttrack for the device routed through VPN. In both scenarios masquerade NAT is not fasttracked because after encapsulation the packet is originating from the router itself, hence output chain that is never fasttracked. So I don’t think fasttrack plays a role here.

The bottom line is hardware offloaded IPSec didn’t really have any advantage over CPU-based WireGuard encryption for this use case. In fact, it would hit the single-core ceiling sooner than WG. I have always thought I had IPSec acceleration in my back pocket as an extra hardware resource. But it turns out in real world the acceleration isn’t that useful. Of course, if I needed IPSec for other reasons, I’m sure without acceleration it would be much worse. I also realize not all devices have 4-core ARM CPU like hAP ac2 that can be leveraged by WireGuard so nicely. Something like hEX would very likely favor IPSec since it has higher CPU clock (better single core processing) and less cores (worse for WireGuard), although not sure if the two architectures can be compared directly.

Still, I fail to understand how it is possible that hardware accelerated IPSec was using more CPU. Yes, overall CPU was much less, but I’m not sure how much of it could be used for higher WAN bandwidth, for example, if it comes down to a single core being overloaded. The packet flow isn’t that much different between the two options:

WireGuard:
Device -> routing rule to WG -> srcnat                       -> WG encryption and encapsulation       -> routing to WAN out -> masquerade NAT
IPSec:
Device -> routing to WAN out -> srcnat -> IPSec policy match -> IPSec HW encryption and encapsulation -> routing to WAN out -> masquerade NAT

If the above is accurate, then it probably means IPSec policy match processing is quite heavy. I also suspect only encryption is done in hardware, but encapsulation is still done in CPU. So that’s double encapsulation for IPSec (as opposed to single with WG) - ESP first and then NAT-T. Perhaps the MTU was not optimal for IPSec, so if there was more packet fragmentation, that would add to CPU utilization. Although I didn’t have to make anything special for MTU in either cases. I don’t think fasttrack plays any role here since in both cases the packets are effectively destined to the router itself, and then originate from the router itself after processing.

Am I missing something? I’m also curious to hear your experience with IPSec hardware acceleration on MikroTik devices and how it affects CPU.

2

I will say right away - 2011 and WireGuard = a big problem even with constant traffic of 10-15 Mbps. CPU usage is high.
Screenshot_2011-wireguard.png
Screenshot_2011-ipip-no-ipsec.png
“Gradually” I’m changing the “outdated” 2011 to 4011, hAP ac2 and hAP ac3 in the offices. All of these routers are connected through VPN. Therefore, data encryption is important to me. As well as performance. New router models were chosen due to the declared hardware acceleration of encryption. On VPN channels, servers are backed up at night, video surveillance cameras are recording. That is, all channels are periodically heavily loaded.

Now - hAP ac2 tests.
Screenshot_hap-ac2-no-load.png
Screenshot_hap-ac2-ipip-ipsec-150mbit-cpu-37-percent.png
Screenshot_hap-ac2-wireguard-156mbit-cpu-57-percent.png
When using WireGuard, the speed in the channel is slightly higher. So as is the CPU load.

3

RB2011 is almost a decade old, and didn’t have one of the better CPUs at the time either, you can’t expect it to do anything good in 2022.
It somewhat works if you stick with ROS6 + fasttrack, but that’s about it.

4

Are you saying that maybe my nintendo 64 needs an upgrade??

5

It copes well with the switch + access point function in the 2.4 range. :slight_smile:

6

So how about IPSec? Have you tried that? From what I can see 2011 doesn’t support hardware acceleration. Presumably it would be even worse for CPU usage than WireGuard.

7

2011 + IPSec

Screenshot-2011-ipsec-speed-10-12_mbit-cpu-83-percent.png
Screenshot-2011-ipsec-speed-10-12_mbit-cpu-83-percent.png398×463 6.39 KB

8

Thank you for sharing the results. As expected, IPSec is much harder on CPU without hardware acceleration. Your earlier screenshot for WireGuard shows unclassified 13 + wireguard 4 = 17%. It’s not clear how much of this unclassified is from WireGuard, probably most of it. Even if we count all 17%, that’s still a lot less than 40.5% on encrypting IPSec.

9

I was wondering how this comparison between IPSec and Wireguard would be in a scenario with several tunnels, something between 600-900, with an average traffic of 2-3Mbps per tunnel running on a CCR1036 with 36 cores of 1200Mhz.

10

In case anyone wonder how Wireguard plays between CCR2004 and hAp ax2 here is some test results.
Link on both ends is 1gbps, ping latensy ~1 ms
CCR2004.png
hAP-ax2.png

11

ByeBye IPsec

12

As much as I prefer and like wireguard, don’t think ipsec will disappear that soon.

13

Bottom line to achive maximum throughput:

  • Use IPsec when hardware acceleration is available at both ends.
  • In other cases, use Wireguard.
14

And still it depends.
Even with IPSEC HW accel on both ends, WG may still be faster in some cases, e.g. if CPU has enough beef.

First see what’s possible for your situation.
Do the tests for the various options.
See what’s best / most practical (fastest is not always the best option).

15

Well, perhaps for some special case using a single tunnel.

A beefy CPU typically includes an even more beefy AES hw acceleration. If performance is a concern use IPsec otherwise invest in a Wireguard server farm. ;- )