[VPN] IPsec performance just 55% of WAN bandwidth

Ryan Malayter rmalayter at bai.org
Thu Jul 17 09:55:23 EDT 2003


We have an IPsec tunnel set up between two sites. The physical layer
in-between VPN endpoints consists of one 2xT1 multiplexed link, followed
by three hops on our ISP's OC-192 backbone. One side has a Sonicwall
Pro-VX device, the other has a Nokia Checkpoint FW-1 appliance. Both
have triple-DES hardware assist and are rated at much higher speeds than
my link for VPN throughput.

We've tested unencrypted speed, and we get about 2.8 Mbps aggregate via
HTTP or FTP over the link. However, when testing both HTTP and FTP
between two servers via the VPN tunnel, I consistently get just 1.68
Mbps in wither direction. I have tested multiple servers on both ends,
at different (low-traffic) times of day.

I'm wondering if this is a packet size or fragementation issue. I cannot
seem to find a way to adjust FTP packet size on either end (both are
Windows 2000 servers). The largest ping I can get through the tunnel is 
     ping -l -1418
which I think would be a 1446-byte packet.

Any ideas on how I should proceed diagnosing this performance issue?
Neither the Sonicwall nor the Nokia device seem to have good diagnostic
tools built-in.

Thank you for your help,

Ryan Malayter
Sr. Network & Database Administrator
Bank Administration Institute
Chicago, Illinois, USA
PGP Key: http://www.malayter.com/pgp-public.txt
:::::::::::::::::::::::::::::::
Never argue with idiots. They drag you down to their level,
and then beat you with experience.



More information about the VPN mailing list