Re: Performance: OpenVPN vs IPsec
Hello Michael, Wednesday, May 9, 2007, 7:51:35 AM, you wrote: M Now, as I understand it, it isn't possible to create an IPsec connection M from a single host within a NATed network to an external server ... From my experience - in most cases it works (with some limitations). Our employees are using IPSec VPN to work from home, and some of them are behind home network routers. We also doing lot of IPSec from the company's network (behind OpenBSD firewall/NAT) to customers gateways (using various clients). -- Best regards, Borismailto:[EMAIL PROTECTED]
Performance: OpenVPN vs IPsec
Hello,
I've got two networks connected with OpenVPN right now, the setup is
like this.
{Network_A}-{OpenVPN_Server}--{Network_B}
NetworkA is a real network where the router (with dynamic IP) is
connected directly to a dedicated OpenVPN server with a static IP.
NetworkB is just a single host within another network which is
connected to the OpenVPN server to be able to directly access NetworkA
over the central OpenVPN server.
Now, as I understand it, it isn't possible to create an IPsec connection
from a single host within a NATed network to an external server but
OpenVPN works great here. Please correct me if I am wrong. (I have no
access to the NAT router here.)
Even though the NetworkA router just got a dynamic IP it would still be
possible to set up the VPN with IPsec. At the moment I use OpenVPN here
but I consider the pros/cons about switching to IPsec at the moment. One
important part would be the overall performance.
The NetworkA router is a Soekris net4801 with vpn1411. Both NetworkA
router, the host in NetworkB and the central server run OpenBSD 4.x-stable.
I now did some speed testing. Both OpenVPN and IPsec use keys of the
same size.
When using the OpenVPN connection I can download a file from the central
server using scp with approx 200kB/s to the Soekris memory file system,
getting around or more than 1000 interrupts on the vpn1411 card when
examining it with systat vmstat.
When using the IPsec connection I can download the same file at around
the same speed but am only getting around 300 interrupts so it seems to
me the overall performance should be better because the system is
stressed a lot less.
When downloading the file directly to the Soekris mfs without any VPN I
get something like =400kB/s.
I have no clue about the VPN traffic overhead differences between
OpenVPN and IPsec but I would guess that IPsec would be faster/less
ressource consumning/more performant since it is a protocol extension
and is not running in userspace.
Anyone got more experience on this or got an explanation why there is no
visible gain (ie. transfer speed), except the lesser system and memory
usage which is already nice enough, when using IPsec.
Michael
Re: Performance: OpenVPN vs IPsec
Michael wrote:
Hello,
I've got two networks connected with OpenVPN right now, the setup is
like this.
{Network_A}-{OpenVPN_Server}--{Network_B}
NetworkA is a real network where the router (with dynamic IP) is
connected directly to a dedicated OpenVPN server with a static IP.
NetworkB is just a single host within another network which is
connected to the OpenVPN server to be able to directly access NetworkA
over the central OpenVPN server.
Now, as I understand it, it isn't possible to create an IPsec connection
from a single host within a NATed network to an external server but
OpenVPN works great here. Please correct me if I am wrong. (I have no
access to the NAT router here.)
[snip]
Hi,
From MY experience it is possible to use an IPSEC VPN through NAT, with
some conditions!!
1. There can only be 1 IPSEC connection through the NAT router UNLESS
the router supports NAT-T.
2. The IPSEC connection cannot be doing AH, only ESP. If you do not
understand this statement, man(4) ipsec will be our friend.
Someone else may correct me, but these are my empirical findings and my
understanding from doing LOTS of reading. I'm very much a beginner at
this stuff though.
The rest I have no idea about.
Good Luck,
Steve Williams
Re: Performance: OpenVPN vs IPsec
On Wed, May 09, 2007 at 02:51:35PM +0200, Michael wrote: Now, as I understand it, it isn't possible to create an IPsec connection from a single host within a NATed network to an external server but OpenVPN works great here. Please correct me if I am wrong. (I have no access to the NAT router here.) If the router allows UDP traffic on ports 500 and 4500, isakmpd will fall back to NAT-traversal automatically if it decides it's necessary.
