since our update to 6.0.6 we’re experiencing massive performance issues with our IPsec (tested both IKEv1 and IKEv2) S2S tunnels.
Beside our internal north/south and east/west bridges we’re tapping our WAN<->WAN gateway traffic so suricata is able to what the gateway is doing so like the S2S IPsec traffic.
Suricata is running as a bridge in IPS mode via AF-Packet on a dedicated server.
Without suricata the S2S traffic is spinning around 15-20MB/s but with suricata tapping it drops down to 300KB-1MB/s.
I disabled both the IKEv2 parser and the decoder in the config and started suricata without any rules but this didn’t really improve the performance resulting in 500KB-1,3MB/s.
Other protocols like HTTP/s, SSH, OpenVPN and VoIP don’t seem to be affected by this.
Custom debian distro
Intel X710 10GB SFP+ nics running the i40e driver
Nic Offloading is disabled
AF-Packet Config (WAN-WAN bridge):
- interface: eth8
- interface: eth9
Thanks in advance,