Here is a brief mention of IPSec related benchmarks, just so people can get an idea of what performance degradation you are likely to see (yes, you will get a loss in performance, although if you have sufficiently overspecced parts you might not notice :)).
The benchmarks posted from me are from two P3/600 machines connected via a 10Base-T hub. One is running Gentoo, the other Debian. I don't think the authentication method will make any difference, but at the moment I am using PSK (mainly since I just finished that page :)).
Transferring a 200MB file consisting entirely of zeroes (hi /dev/zero) from one machine to the other via FTP (proftpd 1.2.8, ncftp 3.1.5): |<Config | Transfer Rate | CPU | Load |<No IPSec |>863.65 kB/s |> 6% | 1.0 |<IPSec |>778.21 kB/s |>25% | 1.0 |<IPSec Compress |>1.92 MB/s |>35% | 1.0
I'm slightly at a loss as to why the load was so consistantly high but I guess that's the price you pay to have a process constantly wanting disk access.
You can see that enabling IP compression on the IPSec tunnel can lead to a dramatic speedup in transfer rates, at the cost of about 50% extra CPU cycles. Still - it was transferring at over twice what it would have been in clear text. This is probably almost entirely explained by the fact that the file I was transferring consisted entirely of zeroes. I will try with a more realistic file at some point.
More realistic file stats, transfering 3DMark2001SE_330.exe between the same hosts: |<Config |Transfer Rate|CPU|Load |<IPSec |>778.30 kB/s |>25% | 0.3 |<IPSec Compress |>766.67 kB/S |>30% | 0.3
The load has definitely decreased since I did the original numbers. I guess something else must have been doing something. We can also see that using a real file (ie one that isnt made up exclusively of zeros) takes a massive cut out of the compressed performance - in fairness, the .exe is already packed pretty tightly so there is probably nothing the IPSec compression could really do. If you have a lot of uncompressed traffic floating around (telnet, web, whatever) then it might help. For file transfers where the targets are usually already compressed, it makes no real difference and can actually negate any advantage, as has happened here.
Could the load havebeen due to the compressor being able to do a lot of work?
2 pages link to IPSecBenchmarks: