[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  net4501/net4801/WRAP IPsec throughput comparison
 Date:  Sun, 13 Jun 2004 13:08:11 +0200
Peter Curran generously donated a vpn1411 crypto card, which arrived
yesterday. I decided to do a detailed throughput comparison between a
net4501, net4801 and a WRAP board. Judging from the results, it would
appear that the FreeBSD hifn driver needs more work to support the
Hifn 7955 (as used on the vpn1411) properly. Furthermore, it looks
like something is preventing the card from working in a useful way on
either the net4501 or the net4801 under FreeBSD 4.10.


Test setup:

[XP notebook] ----- LAN [device to be tested] WAN ----- [FreeBSD PC]

- in IPsec throughput tests, the ESP tunnel was established between
m0n0wall and the FreeBSD PC (which was running racoon and FAST_IPSEC)

- FreeBSD PC hardware: P4 2.8 GHz (CPU usage was below 50% at all
times during the tests)

- m0n0wall configuration: factory defaults (except for "block private
networks on WAN" disabled, an inbound NAT mapping + rule in the
WAN->LAN no-IPsec test and of course the IPsec tunnel)

- the highest of three iperf TCP readings was used (10 seconds each)

- all network connections 100 Mbps Ethernet

- iperf throughput between XP notebook and FreeBSD PC with no
m0n0wall in between: 94 Mbps in both directions

- all test results given in Mbps (LAN->WAN / WAN->LAN)

- the net4501 detected and initialized the vpn1411 properly, but the
card seemed to lock up after a few hundred KBs (no more traffic
passed the IPsec tunnel)

- the net4801 detected and initialized the vpn1411 without errors as
well, but performance was, well, slightly suboptimal ;)


Test results:

----------------------------------------------------------------------
WRAP (233 MHz)
----------------------------------------------------------------------
no IPsec:		38.3 / 42.8

no crypto card
--------------
3DES-MD5:		3.64 / 3.52
3DES-SHA1:		3.03 / 2.94
Blowfish-MD5:	7.93 / 7.68
Blowfish-SHA1:	5.51 / 5.36
CAST128-MD5:	7.80 / 7.35
CAST128-SHA1:	5.44 / 5.21
AES128-MD5:	7.20 / 7.13
AES128-SHA1:	5.10 / 5.00

vpn1211
-------
3DES-MD5:		11.2 / 11.7
3DES-SHA1:		11.2 / 11.7

vpn1411
-------
3DES-MD5:		10.3 / 9.27
3DES-SHA1:		10.3 / 9.48
AES128-MD5:	10.2 / 9.72
AES128-SHA1:	10.2 / 9.62


----------------------------------------------------------------------
net4501
----------------------------------------------------------------------no
IPsec:		16.5 / 18.5

no crypto card
--------------
3DES-MD5:		2.07 / 2.02
3DES-SHA1:		1.59 / 1.55
Blowfish-MD5:	3.99 / 3.89
Blowfish-SHA1:	2.52 / 2.48
CAST128-MD5:	3.64 / 3.57
CAST128-SHA1:	2.37 / 2.34
AES128-MD5:	3.54 / 3.46
AES128-SHA1:	2.29 / 2.27

vpn1211
-------
3DES-MD5:		5.58 / 5.94
3DES-SHA1:		5.56 / 5.92

vpn1411
-------
wouldn't work properly - card seemed to lock up after a few hundred KB


----------------------------------------------------------------------
net4801
----------------------------------------------------------------------
no IPsec:		25.3 / 33.6

no crypto card
--------------
3DES-MD5:		3.85 / 3.76
3DES-SHA1:		3.19 / 3.17
Blowfish-MD5:	7.74 / 7.90
Blowfish-SHA1:	5.65 / 5.71
CAST128-MD5:	7.65 / 7.63
CAST128-SHA1:	5.61 / 5.56
AES128-MD5:	7.11 / 7.26
AES128-SHA1:	5.26 / 5.33

vpn1211
-------
3DES-MD5:		2.70 / 2.67
3DES-SHA1:		2.70 / 2.67

vpn1411
-------
3DES-MD5:		2.62 / 2.30
3DES-SHA1:		2.62 / 2.30
AES128-MD5:	2.62 / 2.28
AES128-SHA1:	2.62 / 2.28