On Sat, Mar 22, 2008 at 7:22 PM, Eric Baenen <[EMAIL PROTECTED]> wrote: > The VPN connections from each lab to the core are OpenVPN, UDP, shared key, > AES 128bit (for now), LZO compression enabled. <SNIP>
> As I said before - all is working fine - except: when doing rsync's over > ssh/scp from the lab machines to the services core, I'm seeing a maximum > sustained throughput of around 60Mbps. With gigabit end to end - even with > the AES encryption overhead of the OpenVPN connection and the scp encryption > overhead of the file transfer, I would have expected higher throughput than > this. The sending machines and the receiving server are not showing high > CPU load so I don't think the encryption is the issue. > > Any thoughts or ideas? What's the CPU load look like on the firewall? You are doing alot of work there, compression and encryption, and it's all being performed in userland which is going to have much lower priority for CPU resources vs the kernel. Further, you don't have hardware acceleration for the crypto, I'm not sure where your limit will be there (I would have guessed greater than 60Mbit...but what I didn't see was if you also have a VPN tunnel to the core services network, or if that's hanging direct off the firewall - that'd give you 120Mbit of crypto traffic if so). If possible, you'd be much better off with IPSec, at least you don't traverse to userland (that really is a pretty significant CPU hit). BTW, you also didn't mention what AES you were using, 256bit is 40% slower than 128bit from what I understand - you might want to try out a few different ciphers and see if any perform better for you. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
