[ previous ] [ next ] [ threads ]
 From:  Cemil Browne <cbrowne at dubsat dot com dot au>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  WRAP Performance Testing & VPN1411 Bug
 Date:  Mon, 20 Feb 2006 17:29:13 +1100
Hi all,

I am doing some performance testing using WRAP boards with m0n0wall  
1.21 and have come across an interesting bug.


[powerbook]  <-> WRAP 1.21 <-> Cisco PIX 515 (*not* E)  <-> Fast server

All connections are either crossover or fast-e switch

Relevant results (All obtained using iperf):

PB->server direct:  94.1 Mbits

PB->WRAP->PIX->server using DES/SHA1 IPSEC tunnel  (no HW Crypto  
card):  *****4 Mbits (average)*****
PB->WRAP->PIX->server using DES/SHA1 IPSEC tunnel (VPN1411 Crypto  
Card):  ***** 2 Mbits (average) *****
Reverse:  3.5 Mbit!

Notice that inserting the VPN1411 actually HALVES the speed of  
outgoing IPSEC processing!

This PIX does not have 3DES capabilities (it is getting phased out).   
I have done wrap->wrap testing with 3DES.


PB->WRAP->WRAP->server using no encryption & no NAT:  38-40 Mbit
PB->WRAP->WRAP->server using 3des/SHA1: 3.5 Mbit
PB->WRAP->WRAP->server using 3des/SHA1 + VPN1411:  8-9 Mbit

Clearly the VPN1411 makes a huge difference for 3des encryption, but  
why the slow-down for des?  Also, why not have an option to disable  
HW crypto in configuration, if that is the case?

Cemil Browne
Network Operations Manager
Dubsat Pty. Ltd.

Ph:  +61 2 9438 3455
************** IMPORTANT MESSAGE *************

This e-mail message is intended only for the addressee(s) and may  
contain information that is confidential and the copyright of DubSat  
or a third party.

If you are not the intended recipient please advise the sender by  
return email, do not use or disclose the contents, and delete the  
message and any attachments from your system. If you are the intended  
recipient of this communication you should not copy, disclose or  
distribute this communication without the authority of DubSat.

Any views expressed in this communication are those of the individual  
sender, except where the sender specifically states them to be the  
views of DubSat.

Unless specifically indicated, this email does not constitute formal  
advice or commitment by the sender or DubSat Pty Ltd (ABN 12 082 402  
739) ATF the DubSat Unit Trust.