Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.
Lab
My lab consists of two PA-200 firewalls with PAN-OS 7.1.1 installed. They were plugged into a simple layer 2 switch. The two notebooks were booted with Knoppix 7.6.1 and used iperf version 2.0.5.
I first tested the throughput with only routing and then built the VPN. After every test I changed the phase 2 parameters. The iperf tests ran in both directions. Here are some configuration screenshots:
Of course I verified the correct IPsec algorithms after each change, such as here:
1 2 3 4 5 6 7 |
weberjoh@fd-wv-fw02> show vpn ipsec-sa tunnel VPN-Test GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) -------------- ---- ------------ --------------- --------- ------- -------- ------------ 20 24 80.154.108.226 VPN-Test(VPN-Test) ESP/3DES/SHA1 9AA65C85 D49DF3F6 3481/0 Show IPSec SA: Total 8 tunnels found. 1 ipsec sa found. |
Test Results
Here are the results, each Tx/Rx in Mbps:
And the raw values:
- Only routing: 937/934
- esp-3des-sha1-group2-1h: 198/228
- esp-aes128-sha1-group5-1h: 215/271
- esp-aes256-sha256-group14-1h: 205/254
- esp-aes256-sha512-group20-1h: 212/260
That is: All tests are around 200 Mbps. The Tx direction is always a bit slower, which might be a test failure. The AES algorithms are faster than the old 3DES cipher. This might be related to the fact that AES is made to be fast in software and in hardware.
Conclusion
Wow, these are really high values. The data sheet talks about 50 Mbps, even for the bigger PA-500 firewall. I don’t know why, but my test results are four times greater than the official notes. Ok, I can live with that. ;)
Featured image “Mehrhoog ICE3m 4652 als trein 125 Frankfurt Main” by Rob Dammers is licensed under CC BY 2.0.
Since PA-200 lacks hardware offloading (all managementplane stuff is put into one x86 core and all dataplane stuff is put into the other x86 core) – do you have any possibility to redo the test with any of the hardware based plattforms from Palo Alto Networks such as PA-3000, PA-5000 or even PA-7000 series?
Im sure Palo Alto Networks would happily provide you with demo units.
Also running the iperf tests it would be interresting to see if there is any difference of TCP vs UDP but also 1 stream vs multiple streams (lets say 8 or so)?