Posted in IPSec VPN

IPSec on FreeBSD – Part 4

   Published Date: June 15, 2017

Test IPSec tunnels

On FreeBSD2 run following command:

ping  -S 10.2.1.1 10.1.1.1

On FreeBSD1 run following command:

          tcpdump –nvi em0 host 10.27.62.169 and dst 10.27.62.18

You must see something like this:

10.27.62.169 > 10.27.62.18: ESP (spi=0x….)  # that means that traffic is encrypted

Bandwidth tests and results

Iperf will be used to test IPSec throughput between FreeBSD1 and FreeBSD2.

On FreeBSD1 iperf  is started in server mode as follows:

iperf –S –B 10.1.1.1

On FreeBSD2 iperf is started in client mode as follows:

iperf  -c 10.1.1.1 –B 10.2.1.1

The result was 97 Mbits/second.

Encryption algorithms was modified (/usr/local/etc/racoo/raccoon.conf) as follows:

encryption_algorithm 3des; 
was replaced with:
encryption_algorithm aes128;

Tests were performed again using iperf and 174 Mbits/sec throughput was obtained, but kernel notifies that the queue is full, so some packets were dropped.

After adding to /etc/sysct.conf file and rebooting both machines:

kern.ipc.somaxconn=8192
kern.ipc.maxsockbuf=2097152
kern.sched.slice=1
net.inet.ip.intr_queue_maxlen=4096
net.inet.tcp.recvspace=262144
net.inet.tcp.mssdflt=1452
net.inet.udp.recvspace=65535
net.inet.udp.maxdgram=65535
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535

174Mbits/sec was obtained without dropping packets.

In order to determine the optimum algorithms to be used, test speed was done against OpenSSL 1.0.1j which was running inside FreeBSD boxes.

For testing following algorithms were used: md2 sha1 3des aes-128-cbc aes-192-cbc aes-256-cbc. The result is as follows:

OpenSSL 1.0.1j-freebsd
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: cc
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
md5 49287.59k 164437.74k 387762.08k 588752.90k 691467.61k
sha1 55899.17k 181288.66k 412761.64k 619054.76k 737050.88k
des ede3 29244.15k 29786.45k 29832.05k 29834.63k 29731.50k
aes-128 cbc 127703.75k 132969.71k 141539.97k 309853.87k 315241.81k
aes-192 cbc 109767.49k 118717.87k 120454.74k 263851.31k 264339.20k
aes-256 cbc 95349.79k 101533.63k 103189.24k 231242.15k 230229.65k

According to the tests, the fastest cipher and the biggest throughput can be obtained using aes-128-cbc and sha1.

A good balance between security and speed/throughput can be obtained using aes-128-cbc and sha1.

 Note: tests were made using TCP and using iperf with default parameters.

Back   IPSec on FreeBSD – Part 3                                   Next IPSec on FreeBSD – Part 5.

Author: techwritter