Hi there! we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus version VPN1401 cards in a FreeBSD box using hifn support.. From the technical specs in Soekris website http://www.soekris.com/vpn1401.htm, each card can support 24 to 70 connections. The question is if we put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support 3 x (24 to 70) IPSEC connections ? Thanks in advance for the clarification and advice! Best regards Sekchye
HI Sam thanks for the enlightening answer. Initially, we are thinking of building a super duper IPSEC VPN concentrator using FreeBSD with multiple crypto accelerator cards like Soekris VPN1401 and a Gigabit interface card to terminate many many IPSEC connections in one single box. After reading your reply, I guess we will just use one crypto accelerator card in each FreeBSD box and scale up by adding more boxes. Thanks! On Thu, 17 Feb 2005 21:21:36 -0800, Sam Leffler <sam@errno.com> wrote:> sekchye goh wrote: > > Hi there! > > we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus > > version VPN1401 cards in a FreeBSD box using hifn support.. > > From the technical specs in Soekris website > > http://www.soekris.com/vpn1401.htm, > > each card can support 24 to 70 connections. The question is if we > > put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support > > 3 x (24 to 70) IPSEC connections ? > > > > Not sure where the 24-70 connection numbers come from. If it's based on > alllocating session state in on-chip SDRAM then that was removed a while > ago by moving the session state allocation to host memory. If the > numbers are representative of peak performance then I'd be curious where > they came from. Understand that you're likely to be bus-limited for > performance and adding additional cards isn't going to help unless cards > are on separate pci buses. Beware however that the current crypto code > does not manage multiple cards well. If you decide to go with multiple > cards you'll want to do some load balancing. > > Sam >
Hi Sam, On Thu, 17 Feb 2005 21:21:36 -0800, Sam Leffler <sam@errno.com> wrote:> Beware however that the current crypto code > does not manage multiple cards well. If you decide to go with multiple > cards you'll want to do some load balancing.just to explore the load balancing, I searched but cannot find much info on IPSEC load balancing with multiple crypto acceleretor cards. How do I do IPSEC load balancing with multiple cards in FreeBSD? Any pointers will be much appreciated. Thanks! Best regards Goh Sek Chye
sekchye goh wrote:> Hi there! > we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus > version VPN1401 cards in a FreeBSD box using hifn support.. > From the technical specs in Soekris website > http://www.soekris.com/vpn1401.htm, > each card can support 24 to 70 connections. The question is if we > put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support > 3 x (24 to 70) IPSEC connections ? >Not sure where the 24-70 connection numbers come from. If it's based on alllocating session state in on-chip SDRAM then that was removed a while ago by moving the session state allocation to host memory. If the numbers are representative of peak performance then I'd be curious where they came from. Understand that you're likely to be bus-limited for performance and adding additional cards isn't going to help unless cards are on separate pci buses. Beware however that the current crypto code does not manage multiple cards well. If you decide to go with multiple cards you'll want to do some load balancing. Sam
sekchye goh wrote: | Hi there! | we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus | version VPN1401 cards in a FreeBSD box using hifn support.. | From the technical specs in Soekris website | http://www.soekris.com/vpn1401.htm, | each card can support 24 to 70 connections. The question is if we | put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support | 3 x (24 to 70) IPSEC connections ? No, the 24 or 70 figure refers to the number of new connections per second (where each new connection involves 1 sign or verify public key operation, such operations are usually the bottleneck). But if you want something really fast, and if you can spend another couple of hundreds of dollars on the motherboard/CPU, do the crypto in software, it will be faster than a hardware solution using those Soekris vpn14x1 cards. According to their tech specs, the highest throughput they support while doing encryption is 460 Mbps. For reference, a 1.8 GHz Opteron (x44) can encrypt with RC4 at 2500 Mbps. As an example, this means you can choose to limit the throughput to 1250 Mbps, and keep 50% of you CPU time for other applications, or just add a second CPU to your system. A 2.2 GHz Opteron (x48) scales to 3100 Mbps, a 2.6 GHz one (x52) would scale to 3700 Mbps. The performance/price ratio depends on which CPU and which crypto card are compared, sometimes the hardware solution has the advantage, sometimes it's the software solution. The downside of the software solution is that some algorithms are quite slow (DES), while other are blazing fast (RC4, MD5). Depending on your security requirements, this may be a problem, or not. -- Marc Bevand http://epita.fr/~bevand_m Computer Science School EPITA - System, Network and Security Dept.