|
|
Title: [Openvpn-users] OpenVPN vs. IPSec performance
iperf has the -F and -I options to use predefined data, so u can use the same as for the other tests.
From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of Nejc Škoberne
Sent: Mon 12-Feb-07 18:23
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx; ipsec-tools-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [Openvpn-users] OpenVPN vs. IPSec performance
Hello folks,
I am working on a research about OpenVPN and IPSec performance. I am
doing an evaluation of bandwidth and delay performance on FreeBSD
systems with OpenVPN and ipsec-tools software.
I am writing to this list because so far I have got a bit strange
results when testing their performance.
Let me describe a little my first testbed:
[Linux client]
|
|
[Router1]
|||
|||
[Router2]
|||
...
|||
|||
[Router10]
|
|
[FreeBSD server]
So there are 10 FreeBSD 6.1 routers, a FreeBSD 6.1 server and a Linux
Ubuntu 6.10 client. The topology was always the same, I was just
changing the number of established VPNs between the server and the
client and of course the type of VPN - OpenVPN and IPSec (ipsec-tools).
The second testbed was not tested yet, I am planning to test scalability
as a function of the number of simultaneously connected (and
transferring) VPN clients to the VPN gateway. Of course for both IPSec
and OpenVPN. But this situation is not what I am talking about here.
I created a script which downloads 128MB file via HTTP, FTP, SMB and
iperf ("pure" TCP) from the server to the client. I would like to draw
conslusions about scalability of the number of VPN connections between
the client and the server. I did the measurements for OpenVPN and got
these results (each measurement was repeated 9 times and then the mean
was computed):
Number of VPNs SMB [kB/s] HTTP [B/s] FTP [B/s] iperf [kB/s] ping [ms]
------------------------------------------------------------------------
0 (plaintext) 6669,57 9630588 10700136 9902,67 1,080
1 2946,14 3100290 3569819 5035,67 1,427
2 1923,77 2026082 2312693 3465,11 1,788
3 1650,19 1848989 2130939 3388,89 2,167
4 1472,79 1692140 1901855 3059,38 2,580
5 1398,39 1608982 1839668 2959 2,868
6 1324,77 1522765 1796560 2923,89 3,226
7 1247,46 1480822 1756947 2843,67 3,636
8 1192,31 1435238 1719665 2763,75 4,071
9 1158,36 1402470 1682964 2768,13 4,407
------------------------------------------------------------------------
For me, the results are quite what I would expect. The plaintext data
went through almost with nominal 100Mbit/s speed. The first VPN
connection slowed things down drastically. The only thing which is
interesting to me is, that the slowdown is not a linear function of the
number of VPNs and that "iperf" went through VPNs much faster, I assume
that is because of the compression. The files which I was transferring
over SMB, FTP and HTTP were generated using /dev/random, which was not
the case for iperf.
Now the interesting part is IPSec performance:
Number of VPNs SMB [kB/s] HTTP [B/s] FTP [B/s] iperf [kB/s] ping [ms]
------------------------------------------------------------------------
0 (plaintext) 6669,57 9630588 10700136 9902,67 1,080
1 1621,5 1930545 1999285 1881,1 1,434
2 1001,5 1070713 1101005 1051,0 1,733
3 916,9 1069548 1101005 1045,0 2,161
4 868,0 1059062 1094014 1042,4 2,414
------------------------------------------------------------------------
So this is what I get by using ipsec-tools (racoon). I think these
values are unnormally small for IPSec (that's why I didn't finish
testing it, so the maximum number of VPNs included in the test here is
4, not 9). As far as I understand, OpenVPN should be slower since there
are many more context switches when a packet travels through the VPN
connection.
The config files are published here:
http://nejc.skoberne.net/data/Faks/racoon.conf
http://nejc.skoberne.net/data/Faks/ipsec.conf
http://nejc.skoberne.net/data/Faks/openvpn-server.conf
http://nejc.skoberne.net/data/Faks/openvpn-client.conf
The current work-in-progress document (for more information on the
experiment) can be found here:
http://nejc.skoberne.net/data/Faks/VPN1.pdf
The hardware is:
- HP ProLiant ML110 G4 (Xeon 1.86 GHz with 512MB RAM for FreeBSD server)
- Dell Inspiron 4150 (Pentium 4 1.6 GHz with 512MB RAM for Linux client)
- VIA EPIA-PD machines (VIA C3 1 GHz with 256MB RAM for FreeBSD routers)
Although VIA C3 processor supports VIA Padlock capability, it was not
(at least not explicitly?) used during the tests.
So my questions are:
1. Do you have any ideas what might cause the unusual slowdown when
using IPSec?
2. Do you have any experience to estimate what the results *should* look
like?
3. What would you be interested in if you had all this hardware and time
to test the VPN connections? What kind/type of perfomance?
Thanks a lot for your time. The results will be published on my blog
when I finish the testing and process the results at
http://nejc.skoberne.net.
Bye,
Nejc
------------------------------------------------------web services, security?
Get stuff done quickly with pre-integrated Application Server v.1.0.1 based on Apache Geronimo
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
-------------------------------------------------------------------------
Get stuff done quickly with pre-integrated technology to make your job easier. _______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|