[Openswan Users] Re: Latency with Openswan?

Peter McGill petermcgill at goco.net
Mon Jul 10 14:00:51 CEST 2006 

I only run about 30 tunnels on each server, but I find there is little
latency caused by the IPSec processing. Most is in the internet 
transmission.

I also use Citrix with some tunnels, I find it works alright if the internet
connection is good, otherwise it experiences problems. I find Citrix to
be more picky about the internet connection quality than some other apps.

Some test statistics: (Production Environment)
Intel(R) Pentium(R) 4 CPU 2.80GHz, 512 MB RAM
Linux Openswan 2.4.4 (klips), Linux Kernel 2.4.31
Running 19 tunnels (> 30 users, well used).
Also running:
sshd
bind (named)
dhcpd
sendmail (> 30 users, well used)
    mimedefang
    spamassassin
mysqld
samba (smbd, nmbd) (> 8 users, well used)
apache with ssl (httpd -DSSL)
and more...
sheridan, above stats, running test
newton, remote Openswan router
10.0.0.149, only active remote workstation behind newton
tcpdump -i eth1 host newton -vvv
11:48:47.438439 IP (tos 0x0, ttl  55, id 10762, offset 0, flags [none], 
length: 152) newton > sheridan: ESP(...)
11:48:47.438559 IP (tos 0x0, ttl  64, id 39931, offset 0, flags [none], 
length: 168) sheridan > newton: ESP(...)
11:48:47.440740 IP (tos 0x0, ttl  55, id 10763, offset 0, flags [none], 
length: 152) newton > sheridan: ESP(...)
11:48:47.461354 IP (tos 0x0, ttl  55, id 10764, offset 0, flags [none], 
length: 152) newton > sheridan: ESP(...)
11:48:47.476105 IP (tos 0x0, ttl  64, id 39933, offset 0, flags [none], 
length: 104) sheridan > newton: ESP(...)
11:48:49.321579 IP (tos 0x0, ttl  55, id 10765, offset 0, flags [none], 
length: 152) newton > sheridan: ESP(...)
11:48:49.321683 IP (tos 0x0, ttl  64, id 39935, offset 0, flags [none], 
length: 104) sheridan > newton: ESP(...)
tcpdump -i ipsec0 host 10.0.0.149 -vvv
11:48:47.438439 IP (tos 0x0, ttl 127, id 27215, offset 0, flags [DF], 
length: 92) 10.0.0.149.1141 > sheridan.ssh: P 1456:1508(52) ack 989 win 64 
356
11:48:47.438521 IP (tos 0x10, ttl  64, id 39930, offset 0, flags [none], 
length: 108) sheridan.ssh > 10.0.0.149.1141: P 1041:1109(68) ack 1508 win 
33280
11:48:47.440740 IP (tos 0x0, ttl 127, id 27216, offset 0, flags [DF], 
length: 92) 10.0.0.149.1141 > sheridan.ssh: P 1508:1560(52) ack 1041 win 
64304
11:48:47.461354 IP (tos 0x0, ttl 127, id 27217, offset 0, flags [DF], 
length: 92) 10.0.0.149.1141 > sheridan.ssh: P 1560:1612(52) ack 1109 win 
64236
11:48:47.476079 IP (tos 0x10, ttl  64, id 39932, offset 0, flags [none], 
length: 40) sheridan.ssh > 10.0.0.149.1141: . [tcp sum ok] 1109:1109(0) ack 
1612 win 33280
11:48:49.321579 IP (tos 0x0, ttl 127, id 27218, offset 0, flags [DF], 
length: 92) 10.0.0.149.1141 > sheridan.ssh: P 1612:1664(52) ack 1109 win 
64236
11:48:49.321646 IP (tos 0x10, ttl  64, id 39934, offset 0, flags [none], 
length: 40) sheridan.ssh > 10.0.0.149.1141: . [tcp sum ok] 1109:1109(0) ack 
1664 win 33280

The tcpdump files are longer, but the timestamps on even this short bit of 
packets, says a lot.
There is no detectable latency on Openswan IPSec decryption.
Latency on encryption: 0.038 ms, 0.026 ms, 0.037 ms respectively
Considering my internet latency runs about 1000-2000 times that (25-50 ms),
I don't really consider the IPSec a factor in my latency considerations.
It's even still far less than host to host ethernet latency, which for me 
with 1
intervening switch is about 0.2 ms (5-10 times more).

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited

More information about the Users mailing list