PPS over IPSec

phospher

hi, i'm trying to get an idea of how many pps can be sent over an ipsec tunnel. i've been doing some testing trying to send 50,000 pps across a vpn tunnel and it copletely kills my firewall and the firewall never recovers. the firewall is running in a vmware environment with 1g dedicated ram. it's on a 3.0ghz zeon quad processor.  looking at vmware it looks like the cpu is completely spiked and i'm gessing that because of the encryption being done on all the packets.

i'm interested in your comments…

databeestje

Ouch, yeah, encryption is mostly assembly to make it faster, VMware doesn't like it that's for sure.

I see something similar in a few VMs I test with. So yes.

It also profoundly hates shell scripts and pipes and things. I brought down my esx test box with that easy.

fastcon68

Do you have a script that I can try on my XenServer for comparison?  Be glad to test it.
RC

databeestje

if you use 1.2.3-RC1 with a lot of ipsec tunnels the ipsec ping_hosts.sh script will grep through the xml.

this was the one.
Create 400 dummy ipsec tunnels and watch it burn once it kicks in.

phospher

fastcon68,

i'm using a tool called unicornscan homepage: http://www.unicornscan.org/

basically, i'm running the command```
unicornscan -r 50000 -R 5000 host/ip

so, scan the host with 50,000pps and repeat it 5000 times. talk about flooding state tables, that command will do it in a matter of seconds. you probably need server class gigabit interfaces to actually gen 50,000 pps but even 25,000 kills it.

and unicornscan is in the ports tree if your running freebsd servers…