Does anyone know the bandwidth of an IPSEC VPN tunnel?
-
Hello All,
Currently, I was assigned with this task to setup an IPSEC VPN tunnel to connect the two office locations into one network. The goal of this setup is to provide inter-site replication and a lite database about 50MB replication between two offifces. However, I don't have much knowledge and the expertise about pfsense, therefore, what I would like to know is will pfsense IPSEC VPN tunnel be able to support and handle this kind of replication. Thank you for any input that you guys will give me.
-
- As long as the tunnel is stable (it should be with the latest version) it's no problem for pfsense to handle it.
- Remember that your bandwith has impact on how long it takes to replicate.
- you should consider having a look at the traffic shaper for not slowing down other applications during working hours (if replication occurs during working hours)
;)
-
Honestly, how should anybody know by the facts given?
The most impact will have:
- connection between the two locations (without IPsec)
An ADSL line will be slower than a 1GBit fiber connection. - The hardware used to run pfSense upon (on both sides)
An embedded VIA processor will have less throughput than server class hardware. Especially with IPsec where number crunching occurs heavily.
Without a more detailed describtion of your surrounding parameters there simply can't be any advise.
- connection between the two locations (without IPsec)
-
Trendchiller, thanks very much for your advise.
-
Chris,
Thanks for the input, and below is the detail system hardware that I will use to build the pfsense box and the internet bandwidth at each location.
Location 1:
System info:
CPU: Pentium 4 2.66GHz with hyper threading
Memory: 512MB
Hard drive: 30GBInternet Connection:
Two full T1 line which has 3MB up and 3MB downLocation 2:
System info:
CPU: Pentium 4 2.66GHz with hyper threading
Memory: 512MB
Hard drive: 30GBInternet Connection:
T1Please give me some advise if you can. Thanks very much
-
Your choice of network cards is very important - search the forum for details (hint, Intel Server NICs are a good choice, Realtek is a very bad choice).
What also matters is the rate of change on that database compared to your bandwidth (BTW, did you mean 3 MB/s (24 Mb/s) or 3 Mb/s).
-
@Cry:
What also matters is the rate of change on that database compared to your bandwidth (BTW, did you mean 3 MB/s (24 Mb/s) or 3 Mb/s).
He listed 2 T1 circuits at one end and 1 T1 circuit at the other so he only has 1.5mbit/sec link (up/dwn) between the two locations (limited to the 1 T1 circuit throughput).
Given the overhead for TCP/IP and the additional overhead for th IPSec link I suspect he will get a maximum of around 1.0 - 1.2 mbit/sec data rate through that setup. (about 120-KByte to 150-KByte per second of data throughput).
If the throughput is around 1.0 mbit/sec for the link then it would take about around 5 to 7 minutes to move a 50-Mbyte file across the link - that is assuming you are using the FULL link for just the move. If you are using the link for normal business then you will need to throttle (bandwidth limit) the database copy or move the time of day the copy occurs to after business hours otherwise you will not have any bandwidth left for normal business operation.
Just some observations…
-
Cry Havok, thank you for your advise.
What also matters is the rate of change on that database compared to your bandwidth (BTW, did you mean 3 MB/s (24 Mb/s) or 3 Mb/s).
In location 1 I have two full T1 combine into one pipe line, which gives me 3MB/s link (up/dwn).
-
gmckinney, thank you for your detail information on moving data accross the link.
-
…which gives me 3MB/s link (up/dwn).
Maybe you didn't get it:
3 MB is 3 MByte
3 Mb is 3 MbitThe latter is what you'll have with a T1 or a DSL line.
-
Maybe you didn't get it:
3 MB is 3 MByte
3 Mb is 3 MbitThe latter is what you'll have with a T1 or a DSL line.
So, Chris what is the best setup for this senario? Thanks
-
I suspect the answer is that at a mere 3 Mb/s it probably doesn't matter - almost any hardware will cope.
Still, as per my original post, the rate of change is going to be your key issue. If you generate more than (about) 256 KB of changes per second then you won't be able to keep up with real time sync. As long as your daily/weekly average remains at or below this then you'll be able to stay in sync, though there will be a lag at times.
-
…what is the best setup for this senario?
Given the quality of your feedback to questions and hints and taking in consideration that you are going to secure a business' information pool the only reasonable answer should be: a consultant.
You can get help from the commercial support of the developers. I suggest you check them out!
http://centipedenetworks.com/products_support_pfsense.php
http://www.bsdperimeter.com/index.php?option=com_content&task=view&id=6&Itemid=24!!! There is no pun intended. It just seems to be the best option at the moment!
-
Thank you Cry Havok and jahonix.
-
@Cry:
I suspect the answer is that at a mere 3 Mb/s it probably doesn't matter - almost any hardware will cope.
Since one of his sides only has one T1 line the tunnel will be 1.5Mb only.
-
I agree that the max connection will be 1.5 Mb, I would add supported hardware encryption adapters. That will take the load off the firewall. I ran into a situation similiar to this one and we add the hardware encrption and that resolved the issue that we where having at the time.
We where dealing with 18 to 30 users using citrix across a t-1.
RC -
The speed of a tunnel between sites is determined by the lowest common denominator. E.g. the slowwest upstream value of both lines. For example: I have a 8Mbit fiber at one end, and a 8/1 mbit dsl on the other end. Although the DSL location can fetch from the main site with 8Mbit, they can only send to use with 1mbit.
This becomes even more evident when you have 2 DSL sites. At that point one can never go above the single upstream capacity of one site.
Regarding the bandwidth of the tunnel. A older Wrap system will do about 4-5mbits without problems. The newer Alix 2c3 system does about 8-10mbit ipsec tunnel throughput without problems.
My VPN concentrator at the main site is a Dell PE860 with a Dual Core 2.13. So that one can easily doo 100Mbit wirespeed ipsec without issues.
The reall issue with your case is the latency between those sites as that is critical for running database connections between sites. This determines the responsiveness of the application if the database is used directly.
-
Thank you guys.
