[ previous ] [ next ] [ threads ]
 
 From:  "Dan MacMillan" <danm at emerald dash associates dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  False sense of (IPsec)urity?
 Date:  Fri, 4 Nov 2005 23:06:50 -0700
Hi,
 
Further to my previous email, I decided to re-set up my test VPN between my house and the office for
performance testing.
 
How I tested:
 
Download a huge ( > 800 megabyte) file from an FTP server at our office using it's private IP
address, therefore through the IPSec tunnel, and measure the speed.
 
Then download the same file from a different FTP server at our office through the public IP address
of the office monowall, hence NAT'd and not encrypted, and measure the speed.
 
Compare the numbers.
 
Be amazed.  The tunneled download ran at an average speed of 526.71 kilobytes per second, as
reported by the Windows XP command line FTP client.  The untunneled download ran at 614.48 kilobytes
per second.  The tunneled download appeared to have been only 20% slower.  This just does not seem
to be even close to the numbers I have seen in the archives on this list.  Is my connection really
encrypted?
 
At the office, our internet connection can sustain 7.5 - 8.5 Mbps, as reported by the monowall
traffic graph.  The firewall at the office is an old PII 350MHz machine with 64MB of RAM running
monowall 1.2.  During the tunneled download the CPU utilization graph seemed to average around 20%. 
During the untunneled download it was around 5%, if that.
 
At home, I have a reasonably fast cable modem connection that can achieve speeds of between 700 and
800 kilobytes per second using bittorrent, which is probably not a very precise way of measuring its
capabilities but should allow you to ballpark it.  My firewall is an old 266MHz AMD K6 machine with
64MB of RAM also running monowall 1.2.  During the tunneled download the CPU utilization graph
seemed to average around 33%.  I didn't scrutinize the CPU utilization during the untunneled
download but it was also probably around 5%.
 
The IPSec is configured with:
 
Phase 1:
Aggressive
Blowfish
SHA1
DH group 2
 
Phase 2:
ESP
Blowfish
SHA1
PFS key group 2.
 
The numbers I have seen posted to this list comparing IPSec performance on embedded platforms seem
to indicate that others are getting tunneled throughput that is only around 1/3 of the untunneled
throughput.  I haven't yet seen anyone claim numbers like what I am seeing, where the tunneled
throughput appears to be around 5/6 of the untunneled throughput.
 
I am no network guru.  I don't know how to determine whether it is working correctly by sniffing
packets or anything, and I don't think I'm equipped for it anyway (I do have a spare computer I
could use, but I don't have any hubs).  If the numbers are reasonable, then I'll just consider
myself lucky to have a system that exceeds my expectations.
 
-- 
Dan MacMillan
Integration Specialist
Emerald Associates
danm at emerald dash associates dot com
(403)686-8930