From owner-freebsd-security Wed Nov 7 6:21:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id A83A637B405 for ; Wed, 7 Nov 2001 06:21:09 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fA7EL8405793; Wed, 7 Nov 2001 08:21:08 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id IAA18328; Wed, 7 Nov 2001 08:21:07 -0600 (CST) Message-ID: <3BE94334.488CC3A8@centtech.com> Date: Wed, 07 Nov 2001 08:20:36 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nick Slager Cc: Darren Reed , freebsd-security@freebsd.org Subject: Re: KAME IPsec on low-end hardware References: <20011107163846.H25762@BlueSkyFrog.COM> <200111070830.fA78Uu0W029670@cairo.anu.edu.au> <20011107223149.A31603@BlueSkyFrog.COM> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have done many experiments with this, and never seen over 10ms ping times, using 2 486-133's to do the ipsec tunneling.. sounds like maybe something isn't set up just right.. ping every IP you know of, and see if anything else has high ping times, also, if there are multiple IP's on the ipsec boxes, try pinging from each of those to see how it turns out.. try turning encryption off, just using a tunnel.. anyway, I'm using blowfish (which seems to be one of the slowest) and still get sub 10ms ping times (usually 5-8ms). Eric Nick Slager wrote: > > Thus spake Darren Reed (avalon@cairo.anu.edu.au): > > > > 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms > > > 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms > > > > > > With IPsec not active, response times are "normal" (~ 0.5ms) > > > > That doesn't sound normal to me. > > > > I've been using IPsec on a OpenBSD/sparc (IPX) box which is > > definately not faster than either the DX4/100 or P90 and my > > ping times are still in the 3-5 ms range to a NetBSD/Celeron-533. > > In the absence of IPsec, ping times are sub-1ms. These are > > on the same LAN (no router between them), however. That is > > using DES-MD5. > > Hmmm, odd. I've just changed the encryption/hash to DES/MD5. > No change in response times. > > I will take the router box out of the loop tomorrow and > see how things go, but don't think that's the problem. > > Nick > > -- > Excuse of the day: > Password is too complex to decrypt > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology No single raindrop believes it is to blame for the flood. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message