Bandwidth degradation and VPN's

Unanswered Question
May 28th, 2008

Hey folks. I was just wondering how much of a difference is normal when using IPSec and GRE-Tunnels. I am new to VPN's, but it seems we have a client that can download files off the internet with ease, but when downloading a 20Mb file off of our companies server, through a VPN, it takes up to 20 minutes to finish the download.

We are running EIGRP and two static routes on the VPN router. One is pointing traffic to our companies LAN, the other is pointing all other internet traffic out the local DSL router.

Is this type of degradation normal? If not, what are some possible reasons as to why the clients have such slow connections through a VPN.

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michael.leblanc Wed, 05/28/2008 - 12:13

I'm assuming the customer is not downloading from the Internet via your VPN, as you have not stated so.

You've not stated anything about the Internet connections throughput. Many Internet connections are asymetrical (DSL, cable).

When the customer is downloading directly from the Internet they are utilizing the "download" capacity of their Internet connection.

Note: If they were accessing the Internet by way of the VPN, your Internet connection's "download" throughput would play a role.

When they are downloading from your network (tunneled or otherwise), they are restricted by the "upload" (not download) throughput of your Internet connection. The upload throughput is typically much lower than the download throughput.

How do the two compare?

Keep in mind that their download from your site is also competing for bandwidth with other outbound traffic from your site.

With respect to IPSec throughput, it depends on whether encryption is being done in hardware or software, and what level of encryption you are using (DES, 3DES, AES 128, AES 192, AES 256).

Also, are there additional VPN tunnels terminating on the VPN gateway? How frequently are the SAs being torn down and rebuilt etc.

The spec sheets for the VPN devices might be of some help in terms of their capacity (throughput).

pjeunelot Tue, 06/10/2008 - 09:10

There is a certain amount of degradation to performance associated with VPN's. Depending on the type of encryption you use the amount of degradation changes. AH adds a 16 byte header plus the number of bytes contained in the variable length ICV field to each packet. ESP has similar header but adds a trailer and is a bit more complicated to calculate due to two of the fields being variable length one of which is 0-255 bytes long. If you think about this much overhead being added to each packet you can understand that there is going to be a performance drop.

Another thing that makes a difference is whether the VPN is tunnel mode or transport mode. If you use tunnel mode then you will add an additional IP header (20 bytes) to your packet where as transport mode there are no additional IP headers added.

Yet another factor is whether you are encapsulating the VPN inside a GRE tunnel. GRE tunnels add 24 bytes of overhead by adding a GRE header (4 bytes) and an additional IP header (20 bytes).

I am not sure what your bandwidth was to start with but this may explain some of your problems.

Actions

This Discussion