From owner-freebsd-security Wed Nov 7 0:31: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 1499C37B41C for ; Wed, 7 Nov 2001 00:30:59 -0800 (PST) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id fA78UuWK029672; Wed, 7 Nov 2001 19:30:56 +1100 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id fA78Uu0W029670; Wed, 7 Nov 2001 19:30:56 +1100 (EST) From: Darren Reed Message-Id: <200111070830.fA78Uu0W029670@cairo.anu.edu.au> Subject: Re: KAME IPsec on low-end hardware To: ns@BlueSkyFrog.COM (Nick Slager) Date: Wed, 7 Nov 2001 19:30:56 +1100 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20011107163846.H25762@BlueSkyFrog.COM> from "Nick Slager" at Nov 07, 2001 04:38:46 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Nick Slager, sie said: > > Just set up my first IPsec link between two 4.4-REL boxes. They are > connected thusly: > > IPsec Linux IPsec > Box 1 ----- router box ----- Box 2 > 192.168.1.1 192.168.2.1 > > This is all set up on a 100mb ethernet LAN. > > When pinging the box with the IPsec link active, I'm getting > suboptimal response times: > > box1 ~ % ping box2 > PING box2.internal (192.168.2.1): 56 data bytes > 64 bytes from 192.168.2.1: icmp_seq=0 ttl=63 time=35.338 ms > 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms > 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms > > With IPsec not active, response times are "normal" (~ 0.5ms) That doesn't sound normal to me. I've been using IPsec on a OpenBSD/sparc (IPX) box which is definately not faster than either the DX4/100 or P90 and my ping times are still in the 3-5 ms range to a NetBSD/Celeron-533. In the absence of IPsec, ping times are sub-1ms. These are on the same LAN (no router between them), however. That is using DES-MD5. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message