[Openswan Users] Throughput testing with a Linksys WRT54G

Ferdinand O. Tempel pw at linuxops.net
Sun Jun 27 20:09:45 CEST 2004 

Hi,

On popular request I did some throughput tests using a Linksys WRT54G
broadband router as ipsec endpoint.

0) General

The tests are performed with iperf for throughput, and cyclesoak on the
WRT54G for CPU load. Cyclesoak is recalibrated for each new algorithm,
but not between tests.

- Each test is peformed five times.
- For the CPU load, 11 data points are taken (1/second, for 10 seconds).
For the CPU load the average is taken over 9 of these (the minimum and
maximum values are taken out).
- The throughput yields one (total) value per test.

To get to the totals the 5 data points for CPU load and throughput are
averaged over 3 measurements. As before, the minimum and maximum values
are taken out.

1) Test results

1.1) Switching (same subnet)

Network layout:

eth0/10.164.10.200 --- (br0/10.164.10.1) --- eth0/10.164.10.100
          iperf -s --- (   cyclesoak   ) --- iperf -N -c 10.164.10.200
	
	Average CPU load:		N/A	%
	Average throughput:		93.8	Mbit/s

1.2) Routing (different subnets)

Network layout:

eth0/192.168.1.200 --- (br0:1/192.168.1.1 X br0/10.164.10.1) ---
eth0/10.164.10.100
iperf -s --- (             cyclesoak             ) --- iperf -N -c
192.168.1.200


1.2.1) Without IPsec
	
	Average CPU load:		52.9	%
	Average throughput:		26.1	Mbit/s

1.2.2) With IPsec

The ipsec tunnel is between 192.168.1.200 (left) and 10.164.10.1
(right), with 10.164.10.0/24 as rightsubnet. Measurements are preformed
on 10.164.10.100 as client, with 192.168.1.200 as server, having the
Linksys device in the middle as router.

Base configs:
left:

CPU: 2x500MHz Intel Celeron
Kernel: 2.6.7 SMP
Openswan: Openswan-2 HEAD userspace (CVS, 27-06-2004)
Memory: 768MB

ipsec.conf:
conn test
	left=%defaultroute
	right=10.164.10.1
	rightsubnet=10.164.10.0/24
	authby=secret
	auto=ignore

right:
CPU: 200MHz Broadcom BCM3302 V0.7
Kernel: 2.4.20
Openswan: Openswan-2.2.0dr1 ipsec.o module, Openswan-2 HEAD userspace.
Memory: 14MB :-)

ipsec.conf:
conn test
	left=192.168.1.200
	right=10.164.10.1
	rightsubnet=10.164.10.0/24
	authby=secret
	auto=ignore

1.2.2.1) Test results IPsec (3Des)
	
	Added esp=aes to the ipsec.conf snippets above on both sides.
	
	Average CPU load:		83.5	%
	Average throughput:		1.51	Mbit/s

1.2.2.2) Test results IPsec (AES)
	
	Added esp=aes to the ipsec.conf snippets above on both sides.
	
	Average CPU load:		82.9	%
	Average throughput:		2.65	Mbit/s

2) Discussion

I didn't have the chance to test IPsec with NULL encryption as the
openswan KLIPS module I used on the WRT54G didn't seem to support this
mode. Shame, but when I get a chance I will rerun these tests, but with
NULL taken into the results too.

I think the general conclusion can be drawn that indeed AES is better to
use for IPsec on resource starved devices. I don't think that comes as a
surprise to anyone :-) I am amazed by the large amount of load which
simple routing puts on the CPU though, especially as simple switching
didn't have any measurable effect on the CPU load (I guess that's done
purely in hardware). Imagine how much throughput you'd be able to get
when that area is optimized. Admittedly though, I didn't disable the
iptables ruleset when I preformed these tests. Maybe I should have. When
I rerun the tests with NULL encryption for IPsec, I'll be sure to also
not have any netfilter in the way too. If in the meantime anyone has any
suggestions on better tests or test methods, please let me know, and
I'll take your suggestions into account on the next test run.

PS: I don't know how the layout of this piece will come over in your
mail client, and the ascii art might not look that good either. Use your
imagination :-)

-- 
Regards,

Ferdinand O. Tempel

Your friendly neighborhood linuxops.net administrator.

More information about the Users mailing list