Juniper ScreenOS VPN Speedtests

Just for fun some more VPN throughput tests, this time for the late Juniper ScreenOS firewalls. I did the same iperf TCP tests as in my labs for Fortinet and Palo Alto, while I was using six different phase1/2 proposals = crypto algorithms. The results were as expected with one exception.

The Lab

I used two Juniper SSG 140 firewalls with ScreenOS version 6.3.0r24.0. Only the 1 Gbps interfaces (eth0/8 and eth0/9) were used. A simple unmanaged HP switch was between those firewalls. At both ends I booted some notebooks into Knoppix 7.7.1 which has iperf version 2.0.9 installed. I tested the mere routing speed (without any IPsec VPNs) as well as the following crypto algorithms which I changed for each test for both VPN phases (IKE and IPsec): DES/MD5, 3DES/MD5, 3DES/SHA-1, AES128/SHA-1, AES256/SHA-1, AES256/SHA2-256. I always used Diffie-Hellman group 14 for the key establishment which is only related to the start of the VPN session and not to the bulk encryption.

The ScreenOS config lines for those protocols were the following:

Before each test I verified the correct crypto algorithms used for the VPN sessions, such as:

 

The Results

Here are the results, each with Tx/Rx in Mpbs:

The raw values are as follows:

  • Mere routing: 836/833
  • DES/MD5: 95/94
  • 3DES/MD5: 92/91
  • 3DES/SHA-1: 92/91
  • AES128/SHA-1: 93/92
  • AES256/SHA-1: 93/92
  • AES256/SHA2-256: 37/36

Looking into the spec sheets from Juniper, the SSG 140 should have a firewall throughput from “350+ Mbps” which I can confirm. More than that since it almost ran at full gigabit speed. Concerning the VPNs, the throughput for “3des+sha1” as well as “aes256+sha1” is listed with 100 Mpbs which is almost correct. Only the sha256 hash decreased the throughput to 37 Mbps.

Featured image: “130727_F1_Hungaroring_149.jpg” by Roman Pfeiffer is licensed under CC BY-ND 2.0.

One thought on “Juniper ScreenOS VPN Speedtests

  1. Hi
    Did you have SSG 320 or 350 or 500s? They have crypto cavium processors to offload VPNs.
    I am sure the results will be different.

    Best
    T

Leave a Reply

Your email address will not be published. Required fields are marked *