Possible move from IPsec to OpenVPN
-
I’m seeking more performance from my vpns. i moved from Wireguard to IPsec site2site and I doubled my downloads. I’m now looking at OpenVPN with DCO enabled. Is there any data out there to show that speed improvements over IPsec? Even 10% is welcomed.
-
What speeds are you seeing now?
6100/7100 at each end?
I have seen OpenVPN with DCO show better thoughput than IPSec but there are a lot of variables. It's probably worth testing if you need every Mbps you can get but it won't be dramatically faster.
Steve
-
@stephenw10
Between each test site ~30ms
Remote site with openspeedtest docker container - 200/10 ISP service.Wireguard speedtest - i can get 50/10
Switched over to IPsec - I can now get 120/10I dont know why wireguard was so poor performing but i have seen this come up on a few test. Lowering the MTU had no impact on speeds. Once i switch some sites to IPsec, performance jumped considerably. No tuning needed.
Now i am looking at OpenVPN. w/ DCO.
-
Hmm, well at those speeds it's not a limitation in IPSec itself. A 6100 is capable of far higher than that. So I wouldn't expect OpenVPN/DCO to be much different unless something in the route is specifically throttling IPSec.
-
@stephenw10 fair enough. any idea why wireguard was such a poor performer? I brought the MTU down to 1300 and no change.
I dont think its a path issue only because IPsec NAT-T and Wireguard are both using UDP protocol for encapsulation. ISPs shouldnt care at that level. -
@michmoor said in Possible move from IPsec to OpenVPN:
ISPs shouldnt care at that level.
Indeed they shouldn't. But that doesn't mean they aren't!
As you say with NAT-T it's all just UDP traffic, far more common to see issues with ESP packets being mishandled.
Steve
-
@stephenw10 @michmoor we actually do see better speeds internally with DCO > IPSec > Wireguard. These improve more with an improved crypto implementation in OCF (that isn't public yet).
There will be results announced at ASIABSDCon (if the paper is accepted)
Also, DCO using AES-GCM-256 can be accelerated on QAT (and both the 5100 and 6100 support same) in 23.01
-
@jwt @stephenw10 appreciate your feedback here. Truly do.