[CLUG-tech] FreeS/WAN network overhead

Gerhard Venter gventer at africonnect.com
Tue Nov 26 16:22:24 SAST 2002


Thanks Hendrik.  This is really a planning question, so I would also like 
your (or anyone else's) view on this short comparison (consisting of random 
items from the Internet), where CIPE seems to look best:

MPPE/PPTP/ (Microsoft).  Due to "subtle interactions that can come from 
multiple TCP layers", MPPE/PPTP performance 15% to 20% below that of the 
underlying connection

Microsoft IPSec.  (Included with Windows 2000 and later).  Performs 
somewhat better than MPPE/PPTP.

OpenVPN and Free/Swan:  Open Source IPSec solutions.  Expected to perform 
more or less similar to Microsoft IPSec.

CIPE is a type of tunnel developed specifically for Linux.  It has superior 
performance, with measured data transfer rates consistently within one or 
two percent of the rates for the same transfers done without using a 
tunnel.  It is as secure as IPSec, but is fundamentally faster because it 
use of UDP as the underlying transport protocol.  This avoids several types 
of subtle interactions that can come from multiple TCP layers.

[CIPE] is a better solution because it doesnt run TCP over TCP, which can 
give a problem, when retransmission occurs. With the right ammount of bad 
luck, you can have double retransmission where both layers of TCP 
retransmit. CIPE runs completely over UDP to avoid this problem.

Gerhard

At 09:50 Saturday 23/11/2002 +0200, you wrote:
>On Fri, Nov 22, 2002 at 04:08:54PM +0000, Gerhard Venter wrote:
> > Hi
> >
> > Presuming that CPU performance is not an issue (& the pipes are thin), 
> does
> > anyone have figures or even subjective experience that can say things 
> like:
> > Using VPN on a 64kbps line is like having using a 48kbps link (or whatever)
>
>As said in the stuff quoted from Cisco, it's the fragmentation that's
>problematic, but my experience is that it's not the fragments, but rather
>the packets that can't be fragmented (ie. those with the DF bit set) that 
>causes
>havoc. This is again specifically the MS based OSes that's the biggest 
>culprits,
>and it's causing weird problems especialy when you are doing IPSEC
>from a "gateway"/firewall, and the remote gateway/router/firewall's next hop
>have a MTU of less than 1500 (ie. MPLS/MPPP ala 128k ISDN).
>
>In those cases you'll be having the performance of a un-plugged network cable,
>and it's not as easy as plugging in a network cable :(
>
>The typical advice is to start dropping MTU size (typically 1400 is a good 
>start)
>on both sides. else there are interesting options in the iptables 
>path-o-matic etc.
>to force MSS settings to help fix this issue.
>
>Hendrik
>
>--
>Clug-tech mailing list
>Clug-tech at clug.org.za
>To (un)subscribe:
>http://www2.clug.org.za/mailman/listinfo/clug-tech





More information about the Clug-tech mailing list