Re: [Ipsec-tools-users] [Openvpn-users] OpenVPN vs. IPSec performance
Brought to you by:
mit_warlord,
netbsd
From: David B. <Dav...@he...> - 2007-02-13 08:31:46
|
iperf has the -F and -I options to use predefined data, so u can use the = same as for the other tests. =20 ________________________________ From: ope...@li... on behalf of Nejc = Skoberne Sent: Mon 12-Feb-07 18:23 To: ope...@li...; = ips...@li... Subject: [Openvpn-users] OpenVPN vs. IPSec performance Hello folks, I am working on a research about OpenVPN and IPSec performance. I am doing an evaluation of bandwidth and delay performance on FreeBSD systems with OpenVPN and ipsec-tools software. I am writing to this list because so far I have got a bit strange results when testing their performance. Let me describe a little my first testbed: [Linux client] | | [Router1] ||| ||| [Router2] ||| ... ||| ||| [Router10] | | [FreeBSD server] So there are 10 FreeBSD 6.1 routers, a FreeBSD 6.1 server and a Linux Ubuntu 6.10 client. The topology was always the same, I was just changing the number of established VPNs between the server and the client and of course the type of VPN - OpenVPN and IPSec (ipsec-tools). The second testbed was not tested yet, I am planning to test scalability as a function of the number of simultaneously connected (and transferring) VPN clients to the VPN gateway. Of course for both IPSec and OpenVPN. But this situation is not what I am talking about here. I created a script which downloads 128MB file via HTTP, FTP, SMB and iperf ("pure" TCP) from the server to the client. I would like to draw conslusions about scalability of the number of VPN connections between the client and the server. I did the measurements for OpenVPN and got these results (each measurement was repeated 9 times and then the mean was computed): Number of VPNs SMB [kB/s] HTTP [B/s] FTP [B/s] iperf [kB/s] ping [ms] ------------------------------------------------------------------------ 0 (plaintext) 6669,57 9630588 10700136 9902,67 1,080 1 2946,14 3100290 3569819 5035,67 1,427 2 1923,77 2026082 2312693 3465,11 1,788 3 1650,19 1848989 2130939 3388,89 2,167 4 1472,79 1692140 1901855 3059,38 2,580 5 1398,39 1608982 1839668 2959 2,868 6 1324,77 1522765 1796560 2923,89 3,226 7 1247,46 1480822 1756947 2843,67 3,636 8 1192,31 1435238 1719665 2763,75 4,071 9 1158,36 1402470 1682964 2768,13 4,407 ------------------------------------------------------------------------ For me, the results are quite what I would expect. The plaintext data went through almost with nominal 100Mbit/s speed. The first VPN connection slowed things down drastically. The only thing which is interesting to me is, that the slowdown is not a linear function of the number of VPNs and that "iperf" went through VPNs much faster, I assume that is because of the compression. The files which I was transferring over SMB, FTP and HTTP were generated using /dev/random, which was not the case for iperf. Now the interesting part is IPSec performance: Number of VPNs SMB [kB/s] HTTP [B/s] FTP [B/s] iperf [kB/s] ping [ms] ------------------------------------------------------------------------ 0 (plaintext) 6669,57 9630588 10700136 9902,67 1,080 1 1621,5 1930545 1999285 1881,1 1,434 2 1001,5 1070713 1101005 1051,0 1,733 3 916,9 1069548 1101005 1045,0 2,161 4 868,0 1059062 1094014 1042,4 2,414 ------------------------------------------------------------------------ So this is what I get by using ipsec-tools (racoon). I think these values are unnormally small for IPSec (that's why I didn't finish testing it, so the maximum number of VPNs included in the test here is 4, not 9). As far as I understand, OpenVPN should be slower since there are many more context switches when a packet travels through the VPN connection. The config files are published here: http://nejc.skoberne.net/data/Faks/racoon.conf http://nejc.skoberne.net/data/Faks/ipsec.conf http://nejc.skoberne.net/data/Faks/openvpn-server.conf http://nejc.skoberne.net/data/Faks/openvpn-client.conf The current work-in-progress document (for more information on the experiment) can be found here: http://nejc.skoberne.net/data/Faks/VPN1.pdf The hardware is: - HP ProLiant ML110 G4 (Xeon 1.86 GHz with 512MB RAM for FreeBSD server) - Dell Inspiron 4150 (Pentium 4 1.6 GHz with 512MB RAM for Linux client) - VIA EPIA-PD machines (VIA C3 1 GHz with 256MB RAM for FreeBSD routers) Although VIA C3 processor supports VIA Padlock capability, it was not (at least not explicitly?) used during the tests. So my questions are: 1. Do you have any ideas what might cause the unusual slowdown when using IPSec? 2. Do you have any experience to estimate what the results *should* look like? 3. What would you be interested in if you had all this hardware and time to test the VPN connections? What kind/type of perfomance? Thanks a lot for your time. The results will be published on my blog when I finish the testing and process the results at http://nejc.skoberne.net <http://nejc.skoberne.net/> . Bye, Nejc -------------------------------------------------------------------------= Using Tomcat but need to do more? Need to support web services, = security? Get stuff done quickly with pre-integrated technology to make your job = easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache = Geronimo http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D= 121642 _______________________________________________ Openvpn-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openvpn-users |