[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] [Ipsec-tools-users] OpenVPN vs. IPSec performance

Subject: Re: [Openvpn-users] [Ipsec-tools-users] OpenVPN vs. IPSec performance
From: Mike Tancsa <mike@xxxxxxxxxx>
Date: Mon, 12 Feb 2007 15:30:56 -0500

At 12:23 PM 2/12/2007, =?ISO-8859-2?Q?Nejc_=A9koberne?= wrote:
>So my questions are:
>
>1. Do you have any ideas what might cause the unusual slowdown when
>using IPSec?

Try the OpenVPN tests with tls-auth as well as this will be a little 
more "fair" as you have hmac_sha1 on the ipsec side of things. I 
think pfs also adds overhead that is not present in OpenVPN, so try 
with it off.  Also, what is the default encryption on openvpn ?  Try 
changing it to 3des just like you are using in IPSEC.  For the 
FreeBSD side make sure you use FAST_IPSEC as its faster (even without 
hardware acceleration) than the KAME version on FreeBSD which is the default.

i.e. add in
options         FAST_IPSEC              #new IPsec
device  crypto
device cryptodev

and take out INET6 and the other 2 ipsec defs

>2. Do you have any experience to estimate what the results *should* look
>like?
>
>3. What would you be interested in if you had all this hardware and time
>to test the VPN connections? What kind/type of perfomance?

We use both IPSEC and OpenVPN and personally, I prefer OpenVPN if I 
control both ends. Its much more flexible, especially in environments 
where NATing or dynamic IP addresses are involved or goofy MTU issues 
(e.g. PPPoE)... Its a LOT easier to deal with such environments with 
OpenVPN.  Also, you can cram in many more connections than IPSEC (on 
FreeBSD at least).  Once you add in more than a few hundred IPSEC 
policies you start to run into problems with the SADB structure 
hitting some hard limits. (At least on FreeBSD).  For us, 250 was 
kind of the limit for total polices and associations and if you have 
a lot of tunnels re-keying at the same time, you could hit that limit 
sooner than later.  Other than that, IPSEC on FreeBSD is quite stable 
especially using IPSEC Tools.  The old version of raccoon had quite a 
few bugs that we would trip on, but these days its quite stable.... 
Then again, so is OpenVPN.

If you are using C3 based boxes, try using AES as the default 
encryption and using
engine padlock
in your openvpn config file.

On FreeBSD to use the Via padlock acceleration, load in device 
padlock to offload IPSEC AES crypto transformations.

Use FreeBSD 6.2 as there are a number of bug fixes as well.

         ---Mike 

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users

References:
- [Openvpn-users] OpenVPN vs. IPSec performance
  - From: Nejc Škoberne

Prev by Date: [Openvpn-users] DNS and WINS queries and broadcast traffic from clients
Next by Date: [Openvpn-users] Multiple ipconfig-pool entries / noncontiguous IP range?
Previous by thread: [Openvpn-users] OpenVPN vs. IPSec performance
Next by thread: Re: [Openvpn-users] OpenVPN vs. IPSec performance
Index(es):
- Date
- Thread