Just for fun some more VPN throughput tests, this time for the late Juniper ScreenOS firewalls. I did the same iperf TCP tests as in my labs for Fortinet and Palo Alto, while I was using six different phase1/2 proposals = crypto algorithms. The results were as expected with one exception.
The Lab
I used two Juniper SSG 140 firewalls with ScreenOS version 6.3.0r24.0. Only the 1 Gbps interfaces (eth0/8 and eth0/9) were used. A simple unmanaged HP switch was between those firewalls. At both ends I booted some notebooks into Knoppix 7.7.1 which has iperf version 2.0.9 installed. I tested the mere routing speed (without any IPsec VPNs) as well as the following crypto algorithms which I changed for each test for both VPN phases (IKE and IPsec): DES/MD5, 3DES/MD5, 3DES/SHA-1, AES128/SHA-1, AES256/SHA-1, AES256/SHA2-256. I always used Diffie-Hellman group 14 for the key establishment which is only related to the start of the VPN session and not to the bulk encryption.
The ScreenOS config lines for those protocols were the following:
1 2 3 4 5 6 7 8 9 10 11 12 |
set ike p1-proposal "pre-g14-des-md5" preshare group14 esp des md5 second 28800 set ike p1-proposal "pre-g14-3des-md5" preshare group14 esp 3des md5 second 28800 set ike p1-proposal "pre-g14-3des-sha1" preshare group14 esp 3des sha-1 second 28800 set ike p1-proposal "pre-g14-aes128-sha1" preshare group14 esp aes128 sha-1 second 28800 set ike p1-proposal "pre-g14-aes256-sha1" preshare group14 esp aes256 sha-1 second 28800 set ike p1-proposal "pre-g14-aes256-sha256" preshare group14 esp aes256 sha2-256 second 28800 set ike p2-proposal "g14-esp-des-md5" group14 esp des md5 second 3600 set ike p2-proposal "g14-esp-3des-md5" group14 esp 3des md5 second 3600 set ike p2-proposal "g14-esp-3des-sha1" group14 esp 3des sha-1 second 3600 set ike p2-proposal "g14-esp-aes128-sha1" group14 esp aes128 sha-1 second 3600 set ike p2-proposal "g14-esp-aes256-sha1" group14 esp aes256 sha-1 second 3600 set ike p2-proposal "g14-esp-aes256-sha256" group14 esp aes256 sha2-256 second 3600 |
Before each test I verified the correct crypto algorithms used for the VPN sessions, such as:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
LEFT-> get ike cookies IKEv1 SA -- Active: 1, Dead: 0, Total 1 80522f/0003, 192.168.1.11:500->192.168.1.10:500, PRESHR/grp14/DES/MD5, xchg(2) (ScreenOSVPNTest/grp-1/usr-1) resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 28541 cert-expire 0 responder, err cnt 0, send dir 1, cond 0x0 nat-traversal map not available ike heartbeat : disabled ike heartbeat last rcv time: 0 ike heartbeat last snd time: 0 XAUTH status: 0 DPD seq local 0, peer 0 IKEv2 SA -- Active: 0, Dead: 0, Total 0 LEFT-> LEFT-> LEFT-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface --------------- --------------- ---- ----- -------------------- ------- ------- --------------- ScreenOSVPNTest ScreenOSVPNTest tunl No g14-esp-des-md5 on 0 eth0/8 Total Auto VPN: 1 Total Pure Transport Mode IPSEC VPN: 0 Name Gateway Interface Lcl SPI Rmt SPI Algorithm Monitor Tunnel ID ---------- --------------- --------------- -------- -------- ---------------- ------- ---------- Total Manual VPN 0 LEFT-> |
The Results
Here are the results, each with Tx/Rx in Mpbs:
The raw values are as follows:
- Mere routing: 836/833
- DES/MD5: 95/94
- 3DES/MD5: 92/91
- 3DES/SHA-1: 92/91
- AES128/SHA-1: 93/92
- AES256/SHA-1: 93/92
- AES256/SHA2-256: 37/36
Looking into the spec sheets from Juniper, the SSG 140 should have a firewall throughput from “350+ Mbps” which I can confirm. More than that since it almost ran at full gigabit speed. Concerning the VPNs, the throughput for “3des+sha1” as well as “aes256+sha1” is listed with 100 Mpbs which is almost correct. Only the sha256 hash decreased the throughput to 37 Mbps.
Featured image: “130727_F1_Hungaroring_149.jpg” by Roman Pfeiffer is licensed under CC BY-ND 2.0.
Hi
Did you have SSG 320 or 350 or 500s? They have crypto cavium processors to offload VPNs.
I am sure the results will be different.
Best
T