[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] OpenVPN vs. IPSec performance


  • Subject: [Openvpn-users] OpenVPN vs. IPSec performance
  • From: Nejc Škoberne <nejc@xxxxxxxxxxxx>
  • Date: Mon, 12 Feb 2007 18:23:44 +0100

Hello folks,

I am working on a research about OpenVPN and IPSec performance. I am 
doing an evaluation of bandwidth and delay performance on FreeBSD 
systems with OpenVPN and ipsec-tools software.

I am writing to this list because so far I have got a bit strange 
results when testing their performance.

Let me describe a little my first testbed:


      [Linux client]
            |
            |
        [Router1]
           |||
           |||
        [Router2]
           |||
           ...
           |||
           |||
        [Router10]
            |
            |
     [FreeBSD server]

So there are 10 FreeBSD 6.1 routers, a FreeBSD 6.1 server and a Linux 
Ubuntu 6.10 client. The topology was always the same, I was just 
changing the number of established VPNs between the server and the 
client and of course the type of VPN - OpenVPN and IPSec (ipsec-tools).

The second testbed was not tested yet, I am planning to test scalability 
as a function of the number of simultaneously connected (and 
transferring) VPN clients to the VPN gateway. Of course for both IPSec 
and OpenVPN. But this situation is not what I am talking about here.

I created a script which downloads 128MB file via HTTP, FTP, SMB and
iperf ("pure" TCP) from the server to the client. I would like to draw
conslusions about scalability of the number of VPN connections between
the client and the server. I did the measurements for OpenVPN and got
these results (each measurement was repeated 9 times and then the mean
was computed):

Number of VPNs  SMB [kB/s] HTTP [B/s] FTP [B/s]   iperf [kB/s] ping [ms]
------------------------------------------------------------------------
0 (plaintext)   6669,57    9630588    10700136    9902,67      1,080
1               2946,14    3100290    3569819     5035,67      1,427
2               1923,77    2026082    2312693     3465,11      1,788
3               1650,19    1848989    2130939     3388,89      2,167
4               1472,79    1692140    1901855     3059,38      2,580
5               1398,39    1608982    1839668     2959         2,868
6               1324,77    1522765    1796560     2923,89      3,226
7               1247,46    1480822    1756947     2843,67      3,636
8               1192,31    1435238    1719665     2763,75      4,071
9               1158,36    1402470    1682964     2768,13      4,407
------------------------------------------------------------------------

For me, the results are quite what I would expect. The plaintext data
went through almost with nominal 100Mbit/s speed. The first VPN 
connection slowed things down drastically. The only thing which is
interesting to me is, that the slowdown is not a linear function of the
number of VPNs and that "iperf" went through VPNs much faster, I assume
that is because of the compression. The files which I was transferring
over SMB, FTP and HTTP were generated using /dev/random, which was not
the case for iperf.

Now the interesting part is IPSec performance:

Number of VPNs  SMB [kB/s] HTTP [B/s] FTP [B/s]   iperf [kB/s] ping [ms]
------------------------------------------------------------------------
0 (plaintext)   6669,57    9630588    10700136    9902,67      1,080
1               1621,5     1930545    1999285     1881,1       1,434
2               1001,5     1070713    1101005     1051,0       1,733
3               916,9      1069548    1101005     1045,0       2,161
4               868,0      1059062    1094014     1042,4       2,414
------------------------------------------------------------------------

So this is what I get by using ipsec-tools (racoon). I think these 
values are unnormally small for IPSec (that's why I didn't finish 
testing it, so the maximum number of VPNs included in the test here is 
4, not 9). As far as I understand, OpenVPN should be slower since there 
are many more context switches when a packet travels through the VPN 
connection.

The config files are published here:

http://nejc.skoberne.net/data/Faks/racoon.conf
http://nejc.skoberne.net/data/Faks/ipsec.conf
http://nejc.skoberne.net/data/Faks/openvpn-server.conf
http://nejc.skoberne.net/data/Faks/openvpn-client.conf

The current work-in-progress document (for more information on the 
experiment) can be found here:

http://nejc.skoberne.net/data/Faks/VPN1.pdf

The hardware is:

- HP ProLiant ML110 G4 (Xeon 1.86 GHz with 512MB RAM for FreeBSD server)
- Dell Inspiron 4150 (Pentium 4 1.6 GHz with 512MB RAM for Linux client)
- VIA EPIA-PD machines (VIA C3 1 GHz with 256MB RAM for FreeBSD routers)

Although VIA C3 processor supports VIA Padlock capability, it was not
(at least not explicitly?) used during the tests.

So my questions are:

1. Do you have any ideas what might cause the unusual slowdown when 
using IPSec?

2. Do you have any experience to estimate what the results *should* look 
like?

3. What would you be interested in if you had all this hardware and time
to test the VPN connections? What kind/type of perfomance?


Thanks a lot for your time. The results will be published on my blog 
when I finish the testing and process the results at 
http://nejc.skoberne.net.

Bye,
Nejc
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users