Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.
[This is one of many VPN tutorials on my blog. Please look here find the appropriate one.]
I first tested the throughput with only routing and then built the VPN. After every test I changed the phase 2 parameters. The Iperf tests ran in both directions. Here are some configuration screenshots:
Of course I verified the correct IPsec algorithms after each change, such as here:
weberjoh@fd-wv-fw02> show vpn ipsec-sa tunnel VPN-Test
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB)
-------------- ---- ------------ --------------- --------- ------- -------- ------------
20 24 18.104.22.168 VPN-Test(VPN-Test) ESP/3DES/SHA1 9AA65C85 D49DF3F6 3481/0
Show IPSec SA: Total 8 tunnels found. 1 ipsec sa found.
Here are the results, each Tx/Rx in Mbps:
And the raw values:
- Only routing: 937/934
- esp-3des-sha1-group2-1h: 198/228
- esp-aes128-sha1-group5-1h: 215/271
- esp-aes256-sha256-group14-1h: 205/254
- esp-aes256-sha512-group20-1h: 212/260
That is: All tests are around 200 Mbps. The Tx direction is always a bit slower, which might be a test failure. The AES algorithms are faster than the old 3DES cipher. This might be related to the fact that AES is made to be fast in software and in hardware.
Wow, these are really high values. The data sheet talks about 50 Mbps, even for the bigger PA-500 firewall. I don’t know why, but my test results are four times greater than the official notes. Ok, I can live with that. ;)