login
Login / Register
Header Space

 
 

Home » Mailing list archives » openbsd-misc » 2007 » May » 9

Performance: OpenVPN vs IPsec

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Michael <belenus@...>
To: <misc@...>
Subject: Performance: OpenVPN vs IPsec
Date: Wednesday, May 9, 2007 - 8:51 am

Hello,

I've got two "networks" connected with OpenVPN right now, the setup is
like this.

{Network_A}-----{OpenVPN_Server}------{Network_B}

NetworkA is a real network where the router (with dynamic IP) is
connected directly to a dedicated OpenVPN server with a static IP.

"NetworkB" is just a single host within another network which is
connected to the OpenVPN server to be able to directly access NetworkA
over the central OpenVPN server.

Now, as I understand it, it isn't possible to create an IPsec connection
from a single host within a NATed network to an external server but
OpenVPN works great here. Please correct me if I am wrong. (I have no
access to the NAT router here.)

Even though the NetworkA router just got a dynamic IP it would still be
possible to set up the VPN with IPsec. At the moment I use OpenVPN here
but I consider the pros/cons about switching to IPsec at the moment. One
important part would be the overall performance.

The NetworkA router is a Soekris net4801 with vpn1411. Both NetworkA
router, the host in NetworkB and the central server run OpenBSD 4.x-stable.

I now did some speed testing. Both OpenVPN and IPsec use keys of the
same size.

When using the OpenVPN connection I can download a file from the central
server using scp with approx 200kB/s to the Soekris memory file system,
getting around or more than 1000 interrupts on the vpn1411 card when
examining it with "systat vmstat".

When using the IPsec connection I can download the same file at around
the same speed but am only getting around 300 interrupts so it seems to
me the overall performance should be better because the system is
stressed a lot less.

When downloading the file directly to the Soekris mfs without any VPN I
get something like >=400kB/s.

I have no clue about the VPN traffic overhead differences between
OpenVPN and IPsec but I would guess that IPsec would be faster/less
ressource consumning/more performant since it is a protocol extension
and is not running in userspace.

Anyone got more experience on this or got an explanation why there is no
visible gain (ie. transfer speed), except the lesser system and memory
usage which is already nice enough, when using IPsec.


Michael
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
Performance: OpenVPN vs IPsec, Michael, (Wed May 9, 8:51 am)
Re: Performance: OpenVPN vs IPsec, Boris Golberg, (Thu May 10, 10:52 am)
Re: Performance: OpenVPN vs IPsec, Matthew R. Dempsky, (Wed May 9, 11:31 am)
Re: Performance: OpenVPN vs IPsec, Steve Williams, (Wed May 9, 11:30 am)

Mail archive search
Enter your search terms.
Optionally limit your search to a specific mailing list.
advanced
Recent Tags
more tags
Colocation donated by:
Who's online
There are currently 5 users and 1226 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary