ipsec vpn2vpn stability?

Matte · April 28, 2015, 4:55pm

Hi,

I’m trying to determine if I can/should use VyOS in an site 2 site with ipsec described below.

1 main (600Mbit Internt) and 6 remote sites (~100Mbit each) .
All traffic from the remote sites is routed/tunneld to the main site.
All sites have full access to each other
All VyOS installations would run in hyper-v 2012 r2
Hyper-v hardware, Dell PE720 with Intel XEON, Broadcom nics. Moderately utilized.

My main concern is stability and second what kind of throughput I would get.

vyos+hyper-v?
isp instability, will tunnel reestablish them self automatically. “Self-healing”
Added latency

Today we us an aging fleet of asa devices that I would like replace, if possible with vyos. I have been using Vyatta for internal routing for years and I’m impress by it! It just works

Anyone using Vyos like this today?

Thanks

cgb · April 29, 2015, 1:04am

(1) - can’t imagine it would be a problem, maybe guest tools integration may not work but that only optimises the configuraiton (and assists with some hypervisor management tools), shouldn’t prevent it from fundamentally working.

(2) - I prefer OpenVPN for tunnels so not so sure about IPSEC specifically, but there shouldn’t be any problems with it reestablishing (should be some retry intervals etc).

(3) - Your measures may vary

I recommend you evaluate a pair of firewalls at hub with some form of redundancy (VyOS clustering supports IPSEC failover I believe). This maximises your flexibility for upgrades/configuration changes etc that might be disruptive.

Matte · April 29, 2015, 8:21am

Thanks for your input!

I’m going to set up a test environment and see what it looks like

Intel AES-NI, found a thread about it http://forum.vyos.net/showthread.php?tid=6327
anyone know if its support in vyos 1.1.5 or if there is a roadmap for it?
Regards

biedron · May 4, 2015, 5:54am

Hi,

If you wan’t use ipsec, you must using DPD (Dead Peer Detection), so if tunnel down, restablished automatically (time interval etc, ). We using ipsec beetwen three main location via fibre link, and we don’t have any problem with stability.

Matte · May 6, 2015, 2:48pm

Thanks for DPD, i’ll read up on it

I have played around with an ipsec/vti site-to-site tunnel between 2 virtual servers on two different physical servers and get ~330Mbit/s throughput (iperf). 1-2 ms latency.
The weakest server uses 1 Xeon® CPU E5507 @ 2.27GHz (Q1’10) and this looks like my bottleneck.

Does this sound like reasonable speed for this setup?

Is there an IKE/ESP encryption combinations that is extra nice to the cpu?

My tunnel config below:

[php] ipsec {
esp-group ESP-TMP {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group IKE-TMP {
ikev2-reauth no
key-exchange ikev1
lifetime 14400
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth1
}
site-to-site {
peer 10.1.1.100 {
authentication {
mode pre-shared-secret
pre-shared-secret test_key_1
}
connection-type initiate
ike-group IKE-TMP
ikev2-reauth inherit
local-address 10.1.1.101
vti {
bind vti0
esp-group ESP-TMP
}
}
}
}[/php]

biedron · May 7, 2015, 9:56am

Hi,

This me config:
IKE

show vpn ipsec ike-group IKE
 dead-peer-detection {
     action clear
     interval 30
     timeout 120
 }
 lifetime 86400
 proposal 1 {
     dh-group 5
     encryption aes256
     hash sha1
 }
 proposal 2 {
     dh-group 5
     encryption aes128
     hash sha1
 }

ESP

show vpn ipsec esp-group ESP compression disable lifetime 3600 mode tunnel pfs disable proposal 1 { encryption aes256 hash sha1 } proposal 2 { encryption aes128 hash sha1 }[/quote]
I have araound 250 vti tunnel, and 2 tunnel fibrelink connect to difrent location, and when we tested Vyatta/VyOS we using standard PC (i5 first gen, and 4 Gb ram and vmware virtualization) and cpu utilization show 0.1 %. So i think your configuration is ok.

Matte · May 8, 2015, 12:50pm

One last question about performance

If I understand it correct ipsec is singel core/nic bound in vyos and don’t use AES-NI for HW acceleration at the moment?
But by simply using 2 external nic:s I can pretty much double my ipsec throughput as long as I have cores to match or am I oversimplifying this? (max ipsec throughput 1/2 per one session/tunnel)

An Intel Xeon E3-1271 v3 at 3.6GHz and a Broadcom 5720 nic would be a pretty decent setup for this? Maybe an Intel I350 DP instead off Broadcom 5720?

VyOS is really impressive

Thanks!