Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.
Lab
My lab consists of two PA-200 firewalls with PAN-OS 7.1.1 installed. They were plugged into a simple layer 2 switch. The two notebooks were booted with Knoppix 7.6.1 and used Iperf version 2.0.5.
I first tested the throughput with only routing and then built the VPN. After every test I changed the phase 2 parameters. The Iperf tests ran in both directions. Here are some configuration screenshots:
Of course I verified the correct IPsec algorithms after each change, such as here:
weberjoh@fd-wv-fw02> show vpn ipsec-sa tunnel VPN-Test GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) -------------- ---- ------------ --------------- --------- ------- -------- ------------ 20 24 80.154.108.226 VPN-Test(VPN-Test) ESP/3DES/SHA1 9AA65C85 D49DF3F6 3481/0 Show IPSec SA: Total 8 tunnels found. 1 ipsec sa found.
Test Results
Here are the results, each Tx/Rx in Mbps:
And the raw values:
- Only routing: 937/934
- esp-3des-sha1-group2-1h: 198/228
- esp-aes128-sha1-group5-1h: 215/271
- esp-aes256-sha256-group14-1h: 205/254
- esp-aes256-sha512-group20-1h: 212/260
That is: All tests are around 200 Mbps. The Tx direction is always a bit slower, which might be a test failure. The AES algorithms are faster than the old 3DES cipher. This might be related to the fact that AES is made to be fast in software and in hardware.
Conclusion
Wow, these are really high values. The data sheet talks about 50 Mbps, even for the bigger PA-500 firewall. I don’t know why, but my test results are four times greater than the official notes. Ok, I can live with that. 