Testing AIX IPSEC tunnel performance with IPERF tool
With IPSEC VPN technology, organizations can use the public Internet as the backbone for their communications network infrastructure, achieving global reach and significant cost savings, while maintaining the security of internal communications.
Virtual private networks, or VPNs, create secure connections, called tunnels, through public shared communication infrastructures like the Internet. These tunnels are not physical entities, but logical constructs, created using encryption, security standards, and protocols.
As these standards and protocols have continued to evolve, various VPN technologies have emerged. IPSEC VPNs are at the forefront of current secure VPN technologies.
IPERF Tool
IPerf3 is built on a client-server model and measures maximum User Datagram Protocol, TCP and SCTP throughput between client and server stations. It can also be used to measure LAN and wireless LAN throughput.
The tool is simple to use: A single executable runs on both the client and the server. Command-line parameters indicate which system will take on the role of the server -- the target --and which will be the client. It makes no difference which is which.
By default, iPerf3 only measures the bandwidth from client to server, so configure the commands properly to measure bidirectional throughput.
Why performance testing for IPSEC?
Increased security comes at a performance cost, and security and performance are often traded off in IPSec implementations. IPSec can add latency and reduce throughput.
After the tunnels are set up, the IPSec gateways encrypt outbound traffic and decrypt traffic coming into the network. Encryption and decryption are by nature computationally intensive — this is partly why encrypted data stays secure. However, computational overhead means that the throughput through an IPSec tunnel is limited by the encryption and decryption capabilities of the gateways. In addition, encryption and decryption can add significant latency.
How to test IPSec tunnel with IPERF tool?
Setup IPSEC Tunnels between 2 AIX nodes.
1. Enable IPSEC Device for IPV4 and IPV6 on the AIX Nodes
|
# lsdev | grep ipsec
ipsec_v4 Available IP Version 4 Security Extension
ipsec_v6 Available IP Version 6 Security Extension
|
2. IPSEC Daemons needs to be up and running.
|
# lssrc -g ike; lssrc -s isakmpd; lssrc -s ikev2d
Subsystem Group PID Status
cpsd ike 6357362 active
tmd ike 10944944 active
iked ike 8454432 active
Subsystem Group PID Status
isakmpd 8061346 active
Subsystem Group PID Status
ikev2d 6488398 active
|
3. Activate IPSEC tunnels.
XML needs to be configured with proper authentication, encryption methods and IP addresses that needs to be uploaded in ikedb using command (ikedb -p <filename.xml>)
There are different ways of IPsec tunnel configurations Using Preshared Key Exchange or with Certificate Exchange. The command "ike=cmd activate" will activate the tunnel. The machine where tunnels are activated called as "inititator" and other machine called as "responder"
PSK:
|
# ike cmd=list
Phase Tun Id Status Local Id Remote Id
1 1 Active 10.10.10.71 10.10.10.72
2 1 Active 10.10.10.71-10.10.10.71 10.10.10.72-10.10.10.72
|
Certificate:
|
# ike cmd=list
Phase Tun Id Status Local Id Remote Id
1 1 Active /C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test2_ASN /C=IN/ST=KA/L=BA/O=IBM/OU=ISL/CN=test2_ASN
2 1 Active 10.10.10.71 10.10.10.72
|
4. Install latest IPERF tool on both Initiator and Responder AIX nodes.
Rpm pkg link:https://www.ibm.com/support/pages/aix-toolbox-open-source-software-downloads-alpha#I:~:text=files%20for%20iperf3%27-,iperf3,-3.14.1
|
# rpm -Uvh iperf3-3.10.1-1.aix6.1.ppc.rpm
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:iperf3-3.10.1-1 ################################# [100%]
|
5. Verify IPERF tool
|
# iperf3 --version
iperf 3.10.1 (cJSON 1.7.13)
AIX fvtden2-lp6 3 7 00C4A9D84C00
Optional features available: SCTP, authentication, support IPv4 don't fragment
|
6. Start the IPERF server on the responder.
|
(0) root @ fvtden2-lp7: /
# iperf3 -s
-----------------------------------------------------------
Server listening on 5201 (test #1)
-----------------------------------------------------------
|
This command tells this instance of iPerf3 that it will be functioning as a server -- or waiting to receive data. By default, the iPerf3 server will listen on port 5001.
7. Run the IPERF client on Initiator.
|
# iperf3 -c 10.10.10.72 --bidir -t 86400 -P 5 -l 1024
|
The client will communicate with an iPerf3 server located at IP address 10.10.10.72.
By default, this will benchmark the throughput in one direction: from client to server. The -c tells the iPerf3 instance to function as a client station.
To measure the throughput both upstream and downstream add the —bidir (i.e., bidirectional) option to the command. The other options such as -t (--time) is time in seconds where 86400s will run the traffic or 24 hours, -l (--length) is the length of the buffer to read or write and -P (--parallel) option specifies number of parallel client streams to run. By default, the test will run for 20 seconds. Then, it will present the average throughput for the run.
To explore more on IPERF client and server options please refer IPERF3 man page.
8. Sample output of IPERF3 test on Client.
|
# iperf3 -c 10.10.10.72 --bidir
Connecting to host 10.10.10.72, port 5201
[ 5] local 10.10.10.71 port 32849 connected to 10.10.10.72 port 5201
[ 7] local 10.10.10.71 port 32850 connected to 10.10.10.72 port 5201
[ ID][Role] Interval Transfer Bitrate
[ 5][TX-C] 0.00-1.00 sec 3.78 MBytes 31.7 Mbits/sec
[ 7][RX-C] 0.00-1.00 sec 18.0 MBytes 151 Mbits/sec
[ 5][TX-C] 1.00-2.00 sec 4.62 MBytes 38.7 Mbits/sec
[ 7][RX-C] 1.00-2.00 sec 17.6 MBytes 147 Mbits/sec
[ 5][TX-C] 2.00-3.00 sec 2.42 MBytes 20.3 Mbits/sec
[ 7][RX-C] 2.00-3.00 sec 18.4 MBytes 155 Mbits/sec
[ 5][TX-C] 3.00-4.00 sec 2.18 MBytes 18.3 Mbits/sec
[ 7][RX-C] 3.00-4.00 sec 18.7 MBytes 157 Mbits/sec
[ 5][TX-C] 4.00-5.00 sec 3.81 MBytes 32.0 Mbits/sec
[ 7][RX-C] 4.00-5.00 sec 17.9 MBytes 150 Mbits/sec
[ 5][TX-C] 5.00-6.00 sec 2.65 MBytes 22.3 Mbits/sec
[ 7][RX-C] 5.00-6.00 sec 18.4 MBytes 154 Mbits/sec
[ 5][TX-C] 6.00-7.00 sec 8.13 MBytes 68.2 Mbits/sec
[ 7][RX-C] 6.00-7.00 sec 16.5 MBytes 138 Mbits/sec
[ 5][TX-C] 7.00-8.00 sec 4.84 MBytes 40.6 Mbits/sec
[ 7][RX-C] 7.00-8.00 sec 17.5 MBytes 147 Mbits/sec
[ 5][TX-C] 8.00-9.00 sec 5.25 MBytes 44.0 Mbits/sec
[ 7][RX-C] 8.00-9.00 sec 17.7 MBytes 148 Mbits/sec
[ 5][TX-C] 9.00-10.00 sec 2.97 MBytes 24.9 Mbits/sec
[ 7][RX-C] 9.00-10.00 sec 18.4 MBytes 155 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID][Role] Interval Transfer Bitrate
[ 5][TX-C] 0.00-10.00 sec 40.6 MBytes 34.1 Mbits/sec sender
[ 5][TX-C] 0.00-10.01 sec 40.1 MBytes 33.6 Mbits/sec receiver
[ 7][RX-C] 0.00-10.00 sec 179 MBytes 150 Mbits/sec sender
[ 7][RX-C] 0.00-10.01 sec 179 MBytes 150 Mbits/sec receiver
|
Sample output on the IPERF server:
|
# iperf3 -s
-----------------------------------------------------------
Server listening on 5201 (test #1)
-----------------------------------------------------------
Accepted connection from 10.10.10.71, port 32848
[ 5] local 10.10.10.72 port 5201 connected to 10.10.10.71 port 32849
[ 8] local 10.10.10.72 port 5201 connected to 10.10.10.71 port 32850
[ ID][Role] Interval Transfer Bitrate
[ 5][RX-S] 0.00-1.03 sec 3.46 MBytes 28.2 Mbits/sec
[ 8][TX-S] 0.00-1.03 sec 18.6 MBytes 152 Mbits/sec
[ 5][RX-S] 1.03-2.13 sec 4.57 MBytes 34.9 Mbits/sec
[ 8][TX-S] 1.03-2.13 sec 19.5 MBytes 149 Mbits/sec
[ 5][RX-S] 2.13-3.10 sec 2.33 MBytes 20.2 Mbits/sec
[ 8][TX-S] 2.13-3.10 sec 17.8 MBytes 154 Mbits/sec
[ 5][RX-S] 3.10-4.08 sec 2.18 MBytes 18.6 Mbits/sec
[ 8][TX-S] 3.10-4.08 sec 18.4 MBytes 157 Mbits/sec
[ 5][RX-S] 4.08-5.14 sec 3.90 MBytes 30.9 Mbits/sec
[ 8][TX-S] 4.08-5.14 sec 19.0 MBytes 151 Mbits/sec
[ 5][RX-S] 5.14-6.07 sec 2.89 MBytes 26.0 Mbits/sec
[ 8][TX-S] 5.14-6.07 sec 17.1 MBytes 154 Mbits/sec
[ 5][RX-S] 6.07-7.00 sec 8.07 MBytes 72.6 Mbits/sec
[ 8][TX-S] 6.07-7.00 sec 15.2 MBytes 137 Mbits/sec
[ 5][RX-S] 7.00-8.09 sec 4.54 MBytes 35.0 Mbits/sec
[ 8][TX-S] 7.00-8.09 sec 19.2 MBytes 148 Mbits/sec
[ 5][RX-S] 8.09-9.12 sec 5.39 MBytes 43.9 Mbits/sec
[ 8][TX-S] 8.09-9.12 sec 18.2 MBytes 149 Mbits/sec
[ 5][RX-S] 9.12-10.01 sec 2.72 MBytes 25.7 Mbits/sec
[ 8][TX-S] 9.12-10.01 sec 16.4 MBytes 155 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID][Role] Interval Transfer Bitrate
[ 5][RX-S] 0.00-10.01 sec 40.1 MBytes 33.6 Mbits/sec receiver
[ 8][TX-S] 0.00-10.01 sec 179 MBytes 150 Mbits/sec sender
-----------------------------------------------------------
Server listening on 5201 (test #2)
-----------------------------------------------------------
|
9. Verify IPERF3 traffic on IPSEC tunnel through packet capture
To verify the IPERF3 traffic is passing through the IPSEC tunnel.
Compare the corresponding SPI values of the tunnel with the packet capture.
Packet capture:
|
# tcpdump -ni en1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 262144 bytes
00:53:36.636093 ARP, Request who-has 10.10.10.72 tell 10.10.10.71, length 28
00:53:36.636186 ARP, Reply 10.10.10.72 is-at b6:88:ef:35:18:03, length 28
00:53:36.636189 IP 10.10.10.71 > 10.10.10.72: AH(spi=0x87a6859b,seq=0x1): ESP(spi=0xb809f9af,seq=0x1), length 76
00:53:36.636344 IP 10.10.10.72 > 10.10.10.71: AH(spi=0x66ab5c31,seq=0x1): ESP(spi=0xf2049c08,seq=0x1), length 76
00:53:36.636391 IP 10.10.10.71 > 10.10.10.72: AH(spi=0x87a6859b,seq=0x2): ESP(spi=0xb809f9af,seq=0x2), length 68
00:53:36.636471 IP 10.10.10.72 > 10.10.10.71: AH(spi=0x66ab5c31,seq=0x2):
|
The above packet capture is from initiator node. The observed SPI values are:
10.10.10.71 > 10.10.10.72:
AH SPI: 0x87a6859b (Decimal value: 2275837339)
ESP SPI: 0xb809f9af (Decimal value: 3087661487)
10.10.10.72 > 10.10.10.71:
AH SPI: 0x66ab5c31 (Decimal value: 1722506289)
ESP SPI: 0xf2049c08 (Decimal value: 4060388360)
LSTUN Output on the AIX nodes:
|
# lstun -a
IP Version : IPv4
Tunnel ID : IKE 1
Source : 10.10.10.71
Destination : 10.10.10.72
Policy : eaea
Source AH Algo : HMAC_MD5
Source AH SPI : 1722506289
Source AH Key : 0x57315c3d2b18e203700556bcddba2f91
Dest AH Algo : HMAC_MD5
Dest AH SPI : 2275837339
Dest AH Key : 0x76bb53269bdb828420fd2df94294e8eb
Source ESP Algo : DES_CBC_8
Source ESP SPI : 4060388360
Source ESP Key : 0x25baf79de2e63d28
Dest ESP Algo : DES_CBC_8
Dest ESP SPI : 3087661487
Dest ESP Key : 0xe73c520d53402a43
Tunnel Mode : Transport
New Header : Yes
Replay : Yes
Reference Count : 0
Deleted : No
Start : 12/12/23 00:29:18
Expire : 12/12/23 01:19:18
AH Life Size : 0
Input AH Life Size Left : 0
Output AH Life Size Left : 0
ESP Life Size : 0
Input ESP Life Size Left : 0
Output ESP Life Size Left: 0
SA Idle Start : 0
SA Idle Timeout (delete cache) : 0
|
10. IPERF3 traffic using UDP and custom ports.
For sending UDP traffic on the client-side use -u option. On the IPERF3 server -s command is used. The -p option can be used on server to listen on specific port.
The server side does not start listening on the UDP port until it receives the first incoming packet.
IPERF3 command on client for UDP traffic.
|
# iperf3 -c 10.10.10.72 --bidir -u
|
IPERF3 command on server for UDP traffic.
IPERF command on client with -p (--port) option.
Client:
|
# iperf3 -c 10.10.10.72 -p 5003 --bidir -t 2
Connecting to host 10.10.10.72, port 5003
|
Server:
|
# iperf3 -s -p 5003
-----------------------------------------------------------
Server listening on 5003 (test #1)
-----------------------------------------------------------
Accepted connection from 10.10.10.71, port 32854
[ 5] local 10.10.10.72 port 5003 connected to 10.10.10.71 port 32855
[ 8] local 10.10.10.72 port 5003 connected to 10.10.10.71 port 32856
|