IPSec Performance Gained by VPN Hardware Accelerator
IPSec performance is one of decision factors in choosing a firewall appliance. A previous article, IPSec Performance of pfSense Firewall Appliance, examined the performance of various Hacom pfSense appliances. In this article, the Soekris VPN1411 hardware encryption/decryption accelrator was used to determine if it is beneficial to increase the IPSec performance.
The Core2Duo Jupiter pfSense appliance showed the best 3DES throughput of 110 Mbps with the Soekris VPN 1411 help. Without the VPN accelerator, it shows a formidable performance of 74 Mbps IPSec throughput. Even the Mercury with its VIA Padlock Security Engine increases the AES throughput by almost 20 Mbps with the Soekris VPN1411 accelrator. Its 3DES throughput increased from 15Mbps to 77Mbps: a whopping 420% increase!
Testing Methodology
The Hacom pfSense appliances were running pfSense version 1.2.3 loaded on a 1GB compactflash. Following are the relevant specifications of the tested systems.
| Specifications | Mercury | Mars | Jupiter |
|---|---|---|---|
| CPU | 1 Ghz VIA C7 | 1.5Ghz Pentium-M | 2Ghz Core2Duo T7200 |
| Memory | 1GB DDR2 RAM | 1GB DDR RAM | 1GB DDR2 RAM |
| Ethernet | 3 x Intel Gigabit | 4 x Intel Gigabit | 4 x Intel Gigabit |
| pfSense version | 1.2.3 | 1.2.3 | 1.2.3 |
To test the ipsec performance, two pfsense devices established ipsec tunnels against each other. Two Gigabit OpenBrick-E VIA C7 were connected to the LAN port of the pfSense devices: one running the iperf server, the other running the iperf client.
Results
The raw (cleartext) throughput under iperf without the ipsec tunnel were about 630Mbps1. The following table showed other results.
| IPSec Throughput | Mercury | Mars | Jupiter |
|---|---|---|---|
| Raw (No encryption) | 630 Mbps1 | 630 Mbps1 | 630 Mbps1 |
| 3DES (No HW Accel) | 15 Mbps | 51 Mbps | 74 Mbps |
| 3DES (VPN1411) | 77 Mbps | 100 Mbps | 110 Mbps |
| AES256 (No HW Accel) | 56 Mbps | 56 Mbps | 74 Mbps |
| AES256 (VPN1411) | 77 Mbps | 100 Mbps | 110 Mbps |
Notes:
1Updated on 7/12/2010. The old number was around 300Mbps, indicated a half-duplex problem.
The best throughput of the 3DES tunnel was obtained with the Core2Duo Jupiter pfSense appliance at 110 Mbps, while the 1.5Ghz Pentium Mars is at 100 Mbps. It does seem that the best VPN throughput the Soekris VPN1411 can deliver in a mini-pci socket is 110 Mbps.
Conclusions
The IPSec performance was studied to aid in the selection of the appropriate firewall appliance. For the VIA C7 with its built-in hardware encryption/decryption engine, the AES and AES256 tunnel througput performed exceptionally, much better than the higher performance Dothan Pentium-M. However, even without the hardware VPN accelerator, the raw CPU power of a Core2Duo T7200 out-performs the VIA C7 with its VIA Padlock Security Engine.
The Soekris VPN1411 hardware VPN accelerator increases both the 3DES and the AES256 IPSec throughputs. For the 1Ghz VIA C7, it increases the 3DES performance almost four times, and 35% increase for the AES256 performance. For the Core2Duo T7200, the increase is about 33%.
| Performance Gained with VPN1411 HW Accel | Mercury 1Ghz VIA C7 |
Mars 1.5Ghz Pentium-M |
Jupiter 2Ghz Core2Duo T7200 |
|---|---|---|---|
| 3DES | 420% | 116% | 33% |
| AES256 | 38% | 96% | 33% |
Depending on the Internet speed, most small and medium business has a broadband Internet feed of less than 50Mbps, it seemed that the Mercury is more than adequate for their applications. For enterprises with Internet throughput of up to 100Mbps or more, the high performance Mars or Jupiter would suffice.
