PPS over IPSec

phospher · Aug 5, 2009, 4:23 PM

hi, i'm trying to get an idea of how many pps can be sent over an ipsec tunnel. i've been doing some testing trying to send 50,000 pps across a vpn tunnel and it copletely kills my firewall and the firewall never recovers. the firewall is running in a vmware environment with 1g dedicated ram. it's on a 3.0ghz zeon quad processor. looking at vmware it looks like the cpu is completely spiked and i'm gessing that because of the encryption being done on all the packets.

i'm interested in your comments…

databeestje · Aug 13, 2009, 7:16 PM

Ouch, yeah, encryption is mostly assembly to make it faster, VMware doesn't like it that's for sure.

I see something similar in a few VMs I test with. So yes.

It also profoundly hates shell scripts and pipes and things. I brought down my esx test box with that easy.

fastcon68 · Aug 14, 2009, 5:05 AM

Do you have a script that I can try on my XenServer for comparison? Be glad to test it.
RC

databeestje · Aug 14, 2009, 9:31 PM

if you use 1.2.3-RC1 with a lot of ipsec tunnels the ipsec ping_hosts.sh script will grep through the xml.

this was the one.
Create 400 dummy ipsec tunnels and watch it burn once it kicks in.

phospher · Aug 18, 2009, 7:05 PM

fastcon68,

i'm using a tool called unicornscan homepage: http://www.unicornscan.org/

basically, i'm running the command```
unicornscan -r 50000 -R 5000 host/ip

so, scan the host with 50,000pps and repeat it 5000 times. talk about flooding state tables, that command will do it in a matter of seconds. you probably need server class gigabit interfaces to actually gen 50,000 pps but even 25,000 kills it.

and unicornscan is in the ports tree if your running freebsd servers…