Re: Performance: OpenVPN vs IPsec
Hello Michael, Wednesday, May 9, 2007, 7:51:35 AM, you wrote: M Now, as I understand it, it isn't possible to create an IPsec connection M from a single host within a NATed network to an external server ... From my experience - in most cases it works (with some limitations). Our employees are using IPSec VPN to work from home, and some of them are behind home network routers. We also doing lot of IPSec from the company's network (behind OpenBSD firewall/NAT) to customers gateways (using various clients). -- Best regards, Borismailto:[EMAIL PROTECTED]
Performance: OpenVPN vs IPsec
Hello, I've got two networks connected with OpenVPN right now, the setup is like this. {Network_A}-{OpenVPN_Server}--{Network_B} NetworkA is a real network where the router (with dynamic IP) is connected directly to a dedicated OpenVPN server with a static IP. NetworkB is just a single host within another network which is connected to the OpenVPN server to be able to directly access NetworkA over the central OpenVPN server. Now, as I understand it, it isn't possible to create an IPsec connection from a single host within a NATed network to an external server but OpenVPN works great here. Please correct me if I am wrong. (I have no access to the NAT router here.) Even though the NetworkA router just got a dynamic IP it would still be possible to set up the VPN with IPsec. At the moment I use OpenVPN here but I consider the pros/cons about switching to IPsec at the moment. One important part would be the overall performance. The NetworkA router is a Soekris net4801 with vpn1411. Both NetworkA router, the host in NetworkB and the central server run OpenBSD 4.x-stable. I now did some speed testing. Both OpenVPN and IPsec use keys of the same size. When using the OpenVPN connection I can download a file from the central server using scp with approx 200kB/s to the Soekris memory file system, getting around or more than 1000 interrupts on the vpn1411 card when examining it with systat vmstat. When using the IPsec connection I can download the same file at around the same speed but am only getting around 300 interrupts so it seems to me the overall performance should be better because the system is stressed a lot less. When downloading the file directly to the Soekris mfs without any VPN I get something like =400kB/s. I have no clue about the VPN traffic overhead differences between OpenVPN and IPsec but I would guess that IPsec would be faster/less ressource consumning/more performant since it is a protocol extension and is not running in userspace. Anyone got more experience on this or got an explanation why there is no visible gain (ie. transfer speed), except the lesser system and memory usage which is already nice enough, when using IPsec. Michael
Re: Performance: OpenVPN vs IPsec
Michael wrote: Hello, I've got two networks connected with OpenVPN right now, the setup is like this. {Network_A}-{OpenVPN_Server}--{Network_B} NetworkA is a real network where the router (with dynamic IP) is connected directly to a dedicated OpenVPN server with a static IP. NetworkB is just a single host within another network which is connected to the OpenVPN server to be able to directly access NetworkA over the central OpenVPN server. Now, as I understand it, it isn't possible to create an IPsec connection from a single host within a NATed network to an external server but OpenVPN works great here. Please correct me if I am wrong. (I have no access to the NAT router here.) [snip] Hi, From MY experience it is possible to use an IPSEC VPN through NAT, with some conditions!! 1. There can only be 1 IPSEC connection through the NAT router UNLESS the router supports NAT-T. 2. The IPSEC connection cannot be doing AH, only ESP. If you do not understand this statement, man(4) ipsec will be our friend. Someone else may correct me, but these are my empirical findings and my understanding from doing LOTS of reading. I'm very much a beginner at this stuff though. The rest I have no idea about. Good Luck, Steve Williams
Re: Performance: OpenVPN vs IPsec
On Wed, May 09, 2007 at 02:51:35PM +0200, Michael wrote: Now, as I understand it, it isn't possible to create an IPsec connection from a single host within a NATed network to an external server but OpenVPN works great here. Please correct me if I am wrong. (I have no access to the NAT router here.) If the router allows UDP traffic on ports 500 and 4500, isakmpd will fall back to NAT-traversal automatically if it decides it's necessary.