EdgeX and IP530

[Ckiller]

Hello.

At my workplace ive built up a VPN network which utilizes EdgeX (most of em with latest firmware) satellites and a Central Nokia IP530(4 years old) with NG r55. Using normal 3des as VPN encryption

Now on for my problem. My satellites seems to from time to time suffer from serious problems with low bandwith even though they have atleast 5mbit lines.
I have 6-7 satellites running on a steady basis, and roughly 20 Securemote users. Add on to that roughly 400 computers inside the organization that utilizes the IP530 as a firewall.
My satellites also seem to have problems with small files/high amounts transferd from inside the organisation to the satellite locations.

Now my question: Does anybody know if its the edge boxes or the IP530 that might be the cause of the problems? Or should i mayby try to change to a "easier" encryption which might not utilize as much processor?

Best regards
Claes

[chillyjim]

An EdgeX with 6.x firmware should be able to saturate that link without a problem. Is the performance issues just with VPN traffic or all traffic?

If it's just VPN traffic I'd start looking for fragmentation of the VPN traffic.

You might want to take a look at the CPU utilization on the 530 (Sorry I don't know how to do it on IPSO, but I'm sure someone here does), though I doubt that's the problem.

FWIW R61's VPN is faster than R55 and it supports AES

[Ckiller]

Quote:

Originally Posted by chillyjim

An EdgeX with 6.x firmware should be able to saturate that link without a problem. Is the performance issues just with VPN traffic or all traffic?

If it's just VPN traffic I'd start looking for fragmentation of the VPN traffic.

You might want to take a look at the CPU utilization on the 530 (Sorry I don't know how to do it on IPSO, but I'm sure someone here does), though I doubt that's the problem.

FWIW R61's VPN is faster than R55 and it supports AES

Im just using em for VPN traffic.

Think im gonna try to update the 530
Sadly i dont have a clue how to check the cpu utilization on the ip530

Thanks for the answer mate

[aqw789]

vmstat -n 1

[aqw789]

You could also try top.

[RayPesek]

The Voyager web interface has some very good tools and charts for things like this. It even retains historical data for awhile.

I'd lose 3DES in a heartbeat myself. If you don't have a crypto accelerator card in the IP530, you'll hammer it. Both the R55 and the Edge's support AES and it's far, far easier on the hardware utilization.

Make sure you're on a recent HFA on the IP530. There were a lot of Edge fixes up until 15 or so.

Ray

[Ckiller]

So changed phase 1 encryption to AES256 and phase 2 to AES128

Gonna try this a while and see how it goes thanks for the answers guys

[Ckiller]

If i were to change the Phase2(ipsec) encryption to NULL what would that mean security wise?

Tunnel is still encrypted but the traffic inside isnt or?