[ previous ] [ next ] [ threads ]
 
 From:  James Baber <origin at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  mk at neon1 dot net
 Subject:  Re: [m0n0wall] net4501/net4801/WRAP IPsec throughput comparison
 Date:  Tue, 15 Jun 2004 08:46:28 -0700 
Hello Manuel,

I definitely appreciate you running these tests.  All my tests have been:

PC1 -> m0n0wall1 -> m0n0wall2 -> PC2
m0n0wall1 = net4801 w/1401
m0n0wall2 = WRAP w/1411

and my results have been much worse.  In fact, the performance was so
close to your "no crypto card" results that I thought the cards were
not being used at all.  (BTW:  My cards always initialize fine.)

Anyone need some cheap vpn14x1 cards?  :)  I can't use them anymore...

James


On Sun, 13 Jun 2004 13:08:11 +0200, Manuel Kasper <mk at neon1 dot net> wrote:
> 
> Peter Curran generously donated a vpn1411 crypto card, which arrived
> yesterday. I decided to do a detailed throughput comparison between a
> net4501, net4801 and a WRAP board. Judging from the results, it would
> appear that the FreeBSD hifn driver needs more work to support the
> Hifn 7955 (as used on the vpn1411) properly. Furthermore, it looks
> like something is preventing the card from working in a useful way on
> either the net4501 or the net4801 under FreeBSD 4.10.
> 
> Test setup:
> 
> [XP notebook] ----- LAN [device to be tested] WAN ----- [FreeBSD PC]
> 
> - in IPsec throughput tests, the ESP tunnel was established between
> m0n0wall and the FreeBSD PC (which was running racoon and FAST_IPSEC)
> 
> - FreeBSD PC hardware: P4 2.8 GHz (CPU usage was below 50% at all
> times during the tests)
> 
> - m0n0wall configuration: factory defaults (except for "block private
> networks on WAN" disabled, an inbound NAT mapping + rule in the
> WAN->LAN no-IPsec test and of course the IPsec tunnel)
> 
> - the highest of three iperf TCP readings was used (10 seconds each)
> 
> - all network connections 100 Mbps Ethernet
> 
> - iperf throughput between XP notebook and FreeBSD PC with no
> m0n0wall in between: 94 Mbps in both directions
> 
> - all test results given in Mbps (LAN->WAN / WAN->LAN)
> 
> - the net4501 detected and initialized the vpn1411 properly, but the
> card seemed to lock up after a few hundred KBs (no more traffic
> passed the IPsec tunnel)
> 
> - the net4801 detected and initialized the vpn1411 without errors as
> well, but performance was, well, slightly suboptimal ;)
> 
> Test results:
> 
> ----------------------------------------------------------------------
> WRAP (233 MHz)
> ----------------------------------------------------------------------
> no IPsec:               38.3 / 42.8
> 
> no crypto card
> --------------
> 3DES-MD5:               3.64 / 3.52
> 3DES-SHA1:              3.03 / 2.94
> Blowfish-MD5:   7.93 / 7.68
> Blowfish-SHA1:  5.51 / 5.36
> CAST128-MD5:    7.80 / 7.35
> CAST128-SHA1:   5.44 / 5.21
> AES128-MD5:     7.20 / 7.13
> AES128-SHA1:    5.10 / 5.00
> 
> vpn1211
> -------
> 3DES-MD5:               11.2 / 11.7
> 3DES-SHA1:              11.2 / 11.7
> 
> vpn1411
> -------
> 3DES-MD5:               10.3 / 9.27
> 3DES-SHA1:              10.3 / 9.48
> AES128-MD5:     10.2 / 9.72
> AES128-SHA1:    10.2 / 9.62
> 
> ----------------------------------------------------------------------
> net4501
> ----------------------------------------------------------------------no
> IPsec:          16.5 / 18.5
> 
> no crypto card
> --------------
> 3DES-MD5:               2.07 / 2.02
> 3DES-SHA1:              1.59 / 1.55
> Blowfish-MD5:   3.99 / 3.89
> Blowfish-SHA1:  2.52 / 2.48
> CAST128-MD5:    3.64 / 3.57
> CAST128-SHA1:   2.37 / 2.34
> AES128-MD5:     3.54 / 3.46
> AES128-SHA1:    2.29 / 2.27
> 
> vpn1211
> -------
> 3DES-MD5:               5.58 / 5.94
> 3DES-SHA1:              5.56 / 5.92
> 
> vpn1411
> -------
> wouldn't work properly - card seemed to lock up after a few hundred KB
> 
> ----------------------------------------------------------------------
> net4801
> ----------------------------------------------------------------------
> no IPsec:               25.3 / 33.6
> 
> no crypto card
> --------------
> 3DES-MD5:               3.85 / 3.76
> 3DES-SHA1:              3.19 / 3.17
> Blowfish-MD5:   7.74 / 7.90
> Blowfish-SHA1:  5.65 / 5.71
> CAST128-MD5:    7.65 / 7.63
> CAST128-SHA1:   5.61 / 5.56
> AES128-MD5:     7.11 / 7.26
> AES128-SHA1:    5.26 / 5.33
> 
> vpn1211
> -------
> 3DES-MD5:               2.70 / 2.67
> 3DES-SHA1:              2.70 / 2.67
> 
> vpn1411
> -------
> 3DES-MD5:               2.62 / 2.30
> 3DES-SHA1:              2.62 / 2.30
> AES128-MD5:     2.62 / 2.28
> AES128-SHA1:    2.62 / 2.28
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>