Re: KAME IPsec on low-end hardware

From: Darren Reed (avalon@cairo.anu.edu.au)
Date: 11/07/01 

From: Darren Reed <avalon@cairo.anu.edu.au>
To: ns@BlueSkyFrog.COM (Nick Slager)
Date: Wed, 7 Nov 2001 19:30:56 +1100 (Australia/NSW)

In some mail from Nick Slager, sie said:
>
> Just set up my first IPsec link between two 4.4-REL boxes. They are
> connected thusly:
>
> IPsec Linux IPsec
> Box 1 ----- router box ----- Box 2
> 192.168.1.1 192.168.2.1
>
> This is all set up on a 100mb ethernet LAN.
>
> When pinging the box with the IPsec link active, I'm getting
> suboptimal response times:
>
> box1 ~ % ping box2
> PING box2.internal (192.168.2.1): 56 data bytes
> 64 bytes from 192.168.2.1: icmp_seq=0 ttl=63 time=35.338 ms
> 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms
> 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms
>
> With IPsec not active, response times are "normal" (~ 0.5ms)

That doesn't sound normal to me.

I've been using IPsec on a OpenBSD/sparc (IPX) box which is
definately not faster than either the DX4/100 or P90 and my
ping times are still in the 3-5 ms range to a NetBSD/Celeron-533.
In the absence of IPsec, ping times are sub-1ms. These are
on the same LAN (no router between them), however. That is
using DES-MD5.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message