[CLUG-tech] FreeS/WAN network overhead
gventer at africonnect.com
Tue Nov 26 16:22:24 SAST 2002
Thanks Hendrik. This is really a planning question, so I would also like
your (or anyone else's) view on this short comparison (consisting of random
items from the Internet), where CIPE seems to look best:
MPPE/PPTP/ (Microsoft). Due to "subtle interactions that can come from
multiple TCP layers", MPPE/PPTP performance 15% to 20% below that of the
Microsoft IPSec. (Included with Windows 2000 and later). Performs
somewhat better than MPPE/PPTP.
OpenVPN and Free/Swan: Open Source IPSec solutions. Expected to perform
more or less similar to Microsoft IPSec.
CIPE is a type of tunnel developed specifically for Linux. It has superior
performance, with measured data transfer rates consistently within one or
two percent of the rates for the same transfers done without using a
tunnel. It is as secure as IPSec, but is fundamentally faster because it
use of UDP as the underlying transport protocol. This avoids several types
of subtle interactions that can come from multiple TCP layers.
[CIPE] is a better solution because it doesnt run TCP over TCP, which can
give a problem, when retransmission occurs. With the right ammount of bad
luck, you can have double retransmission where both layers of TCP
retransmit. CIPE runs completely over UDP to avoid this problem.
At 09:50 Saturday 23/11/2002 +0200, you wrote:
>On Fri, Nov 22, 2002 at 04:08:54PM +0000, Gerhard Venter wrote:
> > Hi
> > Presuming that CPU performance is not an issue (& the pipes are thin),
> > anyone have figures or even subjective experience that can say things
> > Using VPN on a 64kbps line is like having using a 48kbps link (or whatever)
>As said in the stuff quoted from Cisco, it's the fragmentation that's
>problematic, but my experience is that it's not the fragments, but rather
>the packets that can't be fragmented (ie. those with the DF bit set) that
>havoc. This is again specifically the MS based OSes that's the biggest
>and it's causing weird problems especialy when you are doing IPSEC
>from a "gateway"/firewall, and the remote gateway/router/firewall's next hop
>have a MTU of less than 1500 (ie. MPLS/MPPP ala 128k ISDN).
>In those cases you'll be having the performance of a un-plugged network cable,
>and it's not as easy as plugging in a network cable :(
>The typical advice is to start dropping MTU size (typically 1400 is a good
>on both sides. else there are interesting options in the iptables
>to force MSS settings to help fix this issue.
>Clug-tech mailing list
>Clug-tech at clug.org.za
More information about the Clug-tech