What kind of NICs are in it?
Intel has some IPSec-aware NICs, which I think are around $50 or so, that
may help. Per "Enabling acceleration with the new Intel IPsec NIC's
Solution ID: #sk10285 (FP1)" try
cpstat -f nic vpn
I put some of these cards in a Microsoft ISA server a few years ago and they
seemed to help a lot (3DES).
I've got an IP530, which is a 700 MHz P-III and I think the Nokia
accelerator card kicks the 3DES VPN throughput up about ten times or so.
Seems to me it was about $400 three years ago. If the IPSec-aware NICs don't
help, you might not have much choice except to go to a crypto card. Software
hacks are never going to be as good as otimized hardware.
However since you only need to go up about 2.5 times, the NICs might be the
way to go. If you don't already have them, that is. :-)
The odd thing is you're using AES, which my resellers told me don't require
a crypto card for good performance. You might want to try kicking Phase 2
down to AES-128 while leaving Phase 1 at AES-256. That's what I run but I
don't have the bandwidth requirements you do.
Ray
From: cisco4ng <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: [FW-1] Checkpoint vpn performance on SPLAT
Date: Fri, 23 Dec 2005 08:17:20 -0800
I have a SPLAT box running NG AI R55w with HFA_04. The hardware
is a Dell dual Pentium III (550Mhz) processor with 1GB of RAM.
This box is running as an enforcement module only and being managed
by provider-1.
It seems like I can not push more than 8MB of IPSec traffics on this
SPLAT box. The splat box has two vpn tunnels between a cisco VXR7206
and a cisco Pix535. Both of these cisco devices is capable of pushing
well above 80MB of IPsec traffics (I tested it).
However, when I use SmartView monitor to measure the IPSec throughput,
the splat can not seem to push beyond 8MB of Ipsec traffics. There
are no other traffics on the SPLAT box other than IPSec traffics.
I have servers behind the SPLAT and when I test regular traffics, I can
see the splat pushing about 70MB of throughput of regular traffics.
However, with IPSec traffics, I can not go beyond 8MB.
I checked layer 2 switches and everything is set to 100 full-duplex. We
are using both Cisco 3550 and cisco 6509 switches. No errors on the
switchports.
I have Performance Pack enable on my splat box so that I can off-load
the
vpn traffics to the second cpu. I am using AES-256/sha1/DH group5 for both
phase I and phase II. I am also using pfs in phase II.
I am also seeing that the CPU utilization never goes beyond 25%.
How can I improve the vpn performance on my SPLAT box? I want to
improve
IPSec throughput to about 20MB or so. I do NOT want to upgrade my hardware
or buy VPN acceleration card.
Is it possible to do that?
TIA
---------------------------------
Yahoo! Photos
Ring in the New Year with Photo Calendars. Add photos, events, holidays,
whatever.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
