Bandwith utilization over IPSec VPN



  • Our company supplies virtual infrastructure to medical facilities. There are daemons in the cloud that feed data to medical devices at the local clinics, one daemon per medical device. Since it is medical information, it is required to be in a VPN.

    My question is to total usage of bandwidth available. Because of latency, we know that the total single-connection throughput (TCP) is limited to (bits / latency) - inefficiency | jitter. In other words, a dataline with 52ms latency can only feed any single connection at about 10Mbs, regardless of total bandwidth available on the line.

    We are just about to take on our first client that has multiple devices connected to a hub (as opposed to discreet connections), then linking up to the cloud. IOW, 6 devices connected at 1G MPLS to a central point which then has a 100 meg connection to the Internet. It's there that we will build our VPN.

    So the question: when building a VPN over IPSec, is the tunnel considered a single stream irrespective of the number of devices on each side (meaning that the TOTAL bandwidth available would be based on latency like the example above) or would each machine be considered a different connection through the VPN and get it's own bandwidth? Is the IPSec stream the limiting factor meaning that the TOTAL bandwidth available between their central point and our cloud would be (10Mbs for example) or would each connection be able to use as much bandwidth as latency allows, meaning that each of the 6 machines could transmit at a maximum of 10Mbs?

    TIA for any thoughts offered …



  • It should better utilize bandwidth to have 1 vpn per device as each tunnel will be limited separately by your long fat pipe problem (latency).
    Is it possible for you to establish 6 - 10 VPNs connections?  I do this all the time with Openvpn for this reason but haven't tried with IPsec.  I get people in the Philippines to load client software per computer rather than on the router for this reason.  I'm not sure how IPsec will perform if you did that.  It should be fine.



  • I'd thought about parallel pipes but didn't think it was possible, due to confusion over subnetting. OpenVPN does this? How does it resolve subnet / gateway issues? And more intriguingly, "you do this all the time…?" That's great, I'm looking forward to hearing how you pull that off.

    Thanks much for the reply



  • Ah … just saw one solution - have the VPN endpoint be at each clinic sop I get the benefit of multiple VPNs delivering bandwidth directly to each clinic. I believe that would do the trick.

    Still love to hear your thoughts on multiple parallel, because this issue will come up in the future when we have multiple linear accelerators at a single location. Thus far we've been fortunate to have a single Linac per clinic.

    Thanks again



  • I don't actually have much "pulling off" to do.  I wish it was some genius move on my part.
    All I do is set up a very standard TUN Openvpn server using NAT set to tunnel all connections through my server. 
    Then I export clients for people to install.  Openvpn does all the magic for me.  Not much amazingness required on my part.
    It just works.



  • Yes - For having many many connections that originate from behind a single firewall to a single distant point, openvpn excels.
    It doesn't get confused by multiple layers of NAT and things like that.  Doesn't care what port you run it on.  Doesn't much care how many connections you make on that single port either, although I tend to run as many instances as I have physical cores.