Complexity of installation of IPSec is not an issue. I would like to know which one will provide a faster connection for tunneling.
Asked
Active
Viewed 1.2k times
1
-
What are your cryptography requirements? – belacqua Mar 10 '11 at 23:37
-
I prefer using the fastest crypto algorithm (I guess AES?). But yes the connection should be encrypted – bonzi Mar 11 '11 at 00:43
-
2I'm quite pessimistic about this one. What's the use case? Platform, data, environment? Ubuntu, Linux, mixed platform? Who would be using it to do what? Without heavy usage, I don't think it's going to be meaningfully different. With heavy loading, we'd need the details of what kinds of things would be happening. Even then, unless you have some specific requirements, just use whatever makes most sense for your environment. Unless the implementation of IPSec or VPN is broken (buggy, wrong, etc.) I don't think it is going to matter much. – belacqua Mar 12 '11 at 04:30
4 Answers
4
that is very very AFAIK, but I decided to make answer and not a comment.
OpenVPN uses certificates, and there should be some certificate/key exchange involved, so to establish tunnel it will take longer than IPSEC with peer negotiation and establishing of tunnel. Afterwards if same encryption is used you will see no difference.
I should note, that OpenVPN will be like tunnel with addresses, for IPSEC it will be tunnel mode, where it will check packets from certain place going to other certain place and ecrypt/decrypt accordingly, that way for IPSEC to make actual tunnel you will have to use some simpler tunnel like IPIP or GRE over IPSEC encryption.
Osis
- 753
2
After doing some experiments I found out that IPSec is faster than OpenVPN. The reason could be because IPSec is a kernel implementation while OpenVPN is a userspace implemenation.
bonzi
- 824
1
Agreed with above statement. IPsec faster than OpenVPN UDP. tested with streaming transcoded 720 media @ flash 11 720p spec over 4g 6 mbit connection from 10mbit upload cap. Same aes cbc 128, ipsec did have 2nd (phase 2) enc +fp2 yet ipsec had shorter delay and no buffering of content. Yes, could be the way internet routers are happily passing along ipsec traffic vs ovpn udp traffic, doesnt that just make it technically "faster" over public networks and maybe same speed over local/(closed/dark) nets?
user237343
- 11
1
StrongSwan is a implementation of IPSec which is multi-threading. If you're going to encrypt EAS256 on a 10Mbps connection, 1 core of a WRT1900ACS will be fast enough for oVPN to encrypt and get roughly 9Mbps effective over that connection. If you however have a 500Mbps connection, you'll notice even a 3Ghz Pentium won't pull it off because the 4 cores can do it, encrypt fast enough for your 500Mbps to utilize, but it can only use 1! Which maxes out roughly at 120-130Mbps.
You use openSwan, it can even use a 12 core CPU. That Pentium 3Ghz will now use all cores it has, and if you have a octa core it'll use all 8.
oVPN can't compete with that.
So on low bandwidth connections up to 100Mbps oVPN is fast enough on high end CPUs. On bandwidth on connections for the 21st century, it ain't good enough to use only 1 core.
Vincent
- 11