OpenVPN vs. IPSec - which one is faster for tunneling?
Complexity of installation of IPSec is not an issue. I would like to know which one will provide a faster connection for tunneling.
34 Answers
that is very very AFAIK, but I decided to make answer and not a comment.
OpenVPN uses certificates, and there should be some certificate/key exchange involved, so to establish tunnel it will take longer than IPSEC with peer negotiation and establishing of tunnel. Afterwards if same encryption is used you will see no difference.
I should note, that OpenVPN will be like tunnel with addresses, for IPSEC it will be tunnel mode, where it will check packets from certain place going to other certain place and ecrypt/decrypt accordingly, that way for IPSEC to make actual tunnel you will have to use some simpler tunnel like IPIP or GRE over IPSEC encryption.
After doing some experiments I found out that IPSec is faster than OpenVPN. The reason could be because IPSec is a kernel implementation while OpenVPN is a userspace implemenation.
Agreed with above statement. IPsec faster than OpenVPN UDP. tested with streaming transcoded 720 media @ flash 11 720p spec over 4g 6 mbit connection from 10mbit upload cap. Same aes cbc 128, ipsec did have 2nd (phase 2) enc +fp2 yet ipsec had shorter delay and no buffering of content. Yes, could be the way internet routers are happily passing along ipsec traffic vs ovpn udp traffic, doesnt that just make it technically "faster" over public networks and maybe same speed over local/(closed/dark) nets?
StrongSwan is a implementation of IPSec which is multi-threading. If you're going to encrypt EAS256 on a 10Mbps connection, 1 core of a WRT1900ACS will be fast enough for oVPN to encrypt and get roughly 9Mbps effective over that connection. If you however have a 500Mbps connection, you'll notice even a 3Ghz Pentium won't pull it off because the 4 cores can do it, encrypt fast enough for your 500Mbps to utilize, but it can only use 1! Which maxes out roughly at 120-130Mbps.
You use openSwan, it can even use a 12 core CPU. That Pentium 3Ghz will now use all cores it has, and if you have a octa core it'll use all 8.
oVPN can't compete with that.
So on low bandwidth connections up to 100Mbps oVPN is fast enough on high end CPUs. On bandwidth on connections for the 21st century, it ain't good enough to use only 1 core.
