Improving Network Performance by Using IPsec Task Offload

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Although IPsec is critically important for helping secure the network traffic going to and from your computers, its mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your computer from making use of all of the available bandwidth. As your security requirements increase and you switch to higher security algorithms, the computing power required by the IPsec algorithms also increases. The large demands placed on the CPU by the IPsec integrity and encryption algorithms might reduce the performance of your network connections.

It is recommended that you use the cryptographic algorithms and methods that provide the minimum acceptable level of security in your design. In other words, do not use 256-bit or 384-bit algorithms if a 192-bit algorithm adequately protects your network traffic. A sensitivity analysis of the data you transmit on your network will help you determine the minimum required level of protection.

Use Group Policy to set the global cryptographic algorithms used by IPsec on your network. In your Group Policy Object (GPO), open the Windows Firewall with Advanced Security Properties page and click the IPsec Setting tab. In the IPsec defaults section, click Customize. You can configure the algorithms used to negotiate protection for both the main mode and quick mode security associations (SAs), and the authentication options available. Changing these settings alters them for all IPsec connections made to and from a computer whose connection security rules do not specify otherwise, and that do not match a main mode rule.

To further reduce the load placed on the CPU by cryptographic algorithms, you can use network adapters that support IPsec task offload. The following sections help you to determine if your network adapters support IPsec task offload and configure your servers to use this capability.

Hardware-based IPsec task offload

IPsec task offload is a technology built into the Windows operating system that supports network adapters equipped with hardware that reduces the CPU load by performing this computationally intensive work. By moving this workload from the main computer’s CPU to a dedicated processor on the network adapter, you can make dramatically better use of the bandwidth that is available to your IPsec-enabled computer.

How can I tell if my network adapter supports IPsec task offload?

To determine if your computer has an adapter that supports IPsec task offload, perform the following steps.

To determine if your network adapter supports IPsec task offload

  1. Start Device Manager. Click Start, click Control Panel, click Hardware and Sound, and then click Device Manager.

  2. In Device Manager, expand Network adapters, and then double-click the adapter that you want to check.

  3. On the Properties dialog box, click the Advanced tab.

  4. If IPsecOffloadV2 appears in the Property list, then the network adapter supports IPsec task offload. If IPsecOffloadV2 does not appear, then your network adapter does not support this feature.

How do I turn IPsec task offload on or off?

By default, IPsec task offload is globally enabled for the operating system, and this makes it available for each network adapter. But you must additionally enable it on a network adapter. If you have multiple network adapters that you want to turn on IPsec task offload, you must turn it on for each adapter. The setting for the network adapter applies to that adapter only. Its default setting is determined by the manufacturer of the network adapter.

Enabling the setting for an individual network adapter

To enable or disable the IPsec task offload setting for an individual network adapter, perform the following steps.

To enable or disable IPsec task offload for an individual network adapter

  1. Start Device Manager. Click Start, click Control Panel, click Hardware and Sound, and then click Device Manager.

  2. In Device Manager, expand Network adapters, and then double-click the adapter that you want to configure to use IPsec task offload.

  3. On the Properties dialog box, click the Advanced tab.

  4. In the property list, select IPsecOffloadV2.

  5. Change the Value list entry to one of the following settings:

    • Disabled (default value). Turns off the IPsec task offload option for this network adapter.

    • Auth Header & ESP Enabled. Enables IPsec task offload and configures it to process IPsec packets that use either Authenticated Header (AH) or Encapsulating Security Protocol (ESP).

    • Auth Header Enabled. Enables IPsec task offload and configures it to process IPsec packets that use AH.

    • ESP Enabled. Enables IPsec task offload and configures it to process IPsec packets that use ESP.

How do I verify that IPsec task offload is working?

To verify that IPsec task offload is working, perform the following steps.

To verify that IPsec task offload is working on your computer

  1. Start Performance Monitor. Click Start, click Run, type perfmon, and then press ENTER.

  2. In the navigation pane click Performance Monitor.

  3. In the details pane, click the green plus sign (+) in the toolbar.

  4. In the Add Counters dialog box, select IPsec Driver from the list, click Add, and then click OK.

  5. In the list of counters at the bottom of the graph, select the values for Offloaded Bytes Received/sec, Offloaded Bytes Sent/sec, and Offloaded Security Associations. The values displayed for each counter show the IPsec activity that is being handled by the dedicated IPsec processor on the network adapter.

Turning off the global setting for the entire computer

To turn off the global IPsec task offload setting, perform the following steps. By default, this global setting is turned on.

Warning

Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To turn off IPsec task offload for all network adapters on the computer

  1. Open the Registry Editor. Click Start, click Run, type regedit.exe, and then press ENTER.

  2. Expand Computer\HKEY_LOCAL_MACHINE \System\ CurrentControlSet\Services\IPsec\EnableOffLoad

    In the navigation pane, expand Computer, expand HKEY_LOCAL_MACHINE, expand System, expand CurrentControlSet, expand Services, expand IPsec, and then expand EnableOffload.

Note

If the IPsec or EnableOffload keys do not exist, then create them. Create IPsec under Services, and then create EnableOffload under IPsec.

  1. Right-click the EnableOffload key, click New, and then click DWORD (32-bit) Value.

  2. Type EnableOffload for the name.

  3. Double-click the new EnableOffload value. To globally turn off IPsec task offload for all adapters, type 0. To subsequently turn it back on, change this value to 1.

  4. You must restart the computer for the change to take effect.