On Thu, Jun 22, 2006 at 04:03:58PM +0200, Massimo Lusetti wrote: > On Wed, 2006-06-21 at 17:49 +0200, Bihlmaier Andreas wrote: > > > > Sorry, for that but I thought it wouldn't matter: > > I dont mean to offend you, but... i think test environment matter. > > > All hosts are in the same network and can talk directly to each other, > > but for unsecure protocols (NFS, HTTP) I run a VPN between them. > > > > host1 router host2 > > 10.0.0.1 10.0.0.254 10.0.0.8 // Real IP > > // VPN > > 10.2.0.1 10.2.0.254 10.2.0.8 // alias used for VPN > > > > +---------+ > > host1---+ | > > | Switch +------- router > > host2---+ | > > +---------+ > > > > Again you don't specify which host is what so i'm guessing here. > Which is the C7?
the router. > What the others box are? fast enough (amd64 3200+ and i386 athlon xp 2500+). > > > I use "iperf -w 256k" for testing purposes. > > The speed between hosts/router using their real IPs (-B 10.0.0.*) is > > about 70-80 Mb/s. > > > > ~22 Mb/s between host1 and host2 using their VPN IPs. > > BTW i don't think you should spit on 22 Mb/s IPSec for a 500/600EURO > box. My problem with the speed is that compared to the performance I get out of openssl (by USERcrypto) the IPSEC (in kernel) performance is terrible. AFAIK right now it doesn't even make use of the crypto hardware because I can get the same throughput with a comparable fast CPU (without crypto hardware). The box was 200 Euros + RAM + Dual NIC, thus would be a _DREAM_ of an IPSEC box (and it only uses ~30W of power). Also see this quote: "With OpenBSD version 3.4, the kernel now exploits the C7's blindingly fast AES hardware in IPSec" http://www.viaarena.com/default.aspx?PageID=5&ArticleID=451&P=4&printer=true Sure it is marketing, but I think it SHOULD work... > > For the records I got the same IPSec performance with C3 1GHz on rl(4) > boxes. Sustained. > -- > Massimo.run(); Is it really using the crypto hardware? ahb
