正文共:1111 字 13 图,预估阅读时间:2 分钟
我们前面介绍了Juniper虚墙vSRX的部署(Juniper虚拟防火墙vSRX部署初体验)、导入到ESXi(将Juniper虚拟防火墙vSRX部署在ESXi进行简单测试)、导入到EVE-NG(将Juniper虚拟防火墙vSRX导入EVE-NG),并在EVE-NG中简单测试了IPsec VPN的配置(配置Juniper虚墙vSRX基于策略的IPsec VPN(WEB方式)、配置Juniper虚墙vSRX基于路由的IPsec VPN(CLI方式))。
前面测的都是功能项,今天简单测试一下vSRX的转发性能,SRX配置使用导入时默认的2核CPU、4 GB内存的默认配置。
首先,我们在vSRX219的两个接口上分别挂一台主机,测试一下转发性能。
set interfaces ge-0/0/0 unit 0 family inet address 10.11.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 10.12.1.1/24
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
commit
经过多次测试,综合转发性能在7 Gbps左右,最大值在8 Gbps左右。
为了相对准确,我们在vSRX220上面也测试一下。
测试数据稍微高一点,整体不超过5%,问题不大。
然后使两台设备互联,并创建基于路由的IPsec VPN,其中vSRX219的配置如下:
set interfaces st0 unit 0 family inet address 10.120.1.1/24
set routing-options static route 10.22.1.0/24 next-hop st0.0
set security zones security-zone trust interfaces st0.0
set security ike proposal ike authentication-method pre-shared-keys
set security ike proposal ike dh-group group19
set security ike proposal ike encryption-algorithm aes-256-gcm
set security ike policy ike proposals ike
set security ike policy ike pre-shared-key ascii-text qweasd123
set security ike gateway gw address 10.12.1.2
set security ike gateway gw remote-identity inet 10.12.1.2
set security ike gateway gw external-interface ge-0/0/0
set security ike gateway gw local-address 10.12.1.1
set security ike gateway gw local-identity inet 10.12.1.1
set security ike gateway gw version v2-only
set security ike gateway gw ike-policy ike
set security ipsec proposal ipsec protocol esp
set security ipsec proposal ipsec encryption-algorithm aes-256-gcm
set security ipsec policy ipsec proposals ipsec
set security ipsec policy ipsec perfect-forward-secrecy keys group19
set security ipsec vpn ipsec ike gateway gw
set security ipsec vpn ipsec ike ipsec-policy ipsec
set security ipsec vpn ipsec bind-interface st0.0
set security ipsec vpn ipsec establish-tunnels immediately
commit
vSRX220的配置如下:
set interfaces st0 unit 0 family inet address 10.120.1.2/24
set routing-options static route 10.11.1.0/24 next-hop st0.0
set security zones security-zone trust interfaces st0.0
set security ike proposal ike authentication-method pre-shared-keys
set security ike proposal ike dh-group group19
set security ike proposal ike encryption-algorithm aes-256-gcm
set security ike policy ike proposals ike
set security ike policy ike pre-shared-key ascii-text qweasd123
set security ike gateway gw address 10.12.1.1
set security ike gateway gw remote-identity inet 10.12.1.1
set security ike gateway gw external-interface ge-0/0/0
set security ike gateway gw local-address 10.12.1.2
set security ike gateway gw local-identity inet 10.12.1.2
set security ike gateway gw version v2-only
set security ike gateway gw ike-policy ike
set security ipsec proposal ipsec protocol esp
set security ipsec proposal ipsec encryption-algorithm aes-256-gcm
set security ipsec policy ipsec proposals ipsec
set security ipsec policy ipsec perfect-forward-secrecy keys group19
set security ipsec vpn ipsec ike gateway gw
set security ipsec vpn ipsec ike ipsec-policy ipsec
set security ipsec vpn ipsec bind-interface st0.0
set security ipsec vpn ipsec establish-tunnels immediately
commit
配置完成之后,查看IPsec协商状态。
IPsec VPN协商成功,然后测试一下转发带宽。
最大转发带宽大约在3.5 Gbps左右,最终稳定值在3.18 Gbps左右,还算不错。
实际上,二阶段的加密算法对性能的影响还是比较大的。我们已经知道,二阶段使用的协议分为AH和ESP,而AH仅对报文头进行校验,不做加密,只有ESP是加密数据的。而且我们使用的IPsec VPN没有配置认证算法,只使用了加密算法,所以验证算法的加密性能就简单的多。
在IPsec VPN的配置界面,我们可以看到,Juniper支持的加密算法包括DES(不推荐)、3DES(不推荐)、AES-CBC(128位、192位、256位)、AES-GCM(128位、192位、256位),一共8种算法。
正常应该是3DES-CBC的加密性能是最低的,我们修改加密算法试一下。
再小测一下性能。
果然,传输带宽就暴跌至139 Mbps了,只有AES-GCM-256算法(3.18 Gbps)的4.3 %。相比之下,其他算法的性能都会优于这个值。
比如说我们将加密算法修改为AES-GCM-128。
再小测一下性能。
传输带宽约为3.45 Gbps,相比AES-GCM-256算法(3.18 Gbps),提升了大概8.5%,不出意外的,这应该是加密性能最高的算法了,相比之下,其他算法的性能应该都会低于这个值。
与AES-GCM-128算法对应的还有一个AES-CBC-128算法,我们换上这个试一下。
再小测一下性能。
传输带宽约为1.89 Gbps,性能大概是AES-GCM-128算法(3.45 Gbps)的55 %,应该是个中间值。
根据已经测得的几组数据,盲推一下,感觉算法的加密性能从高到低应该依次是:AES-GCM-128、AES-GCM-192、AES-GCM-256、AES-CBC-128、AES-CBC-192、AES-CBC-256、DES-CBC、3DES-CBC。
长按二维码
关注我们吧
配置Juniper虚墙vSRX基于路由的IPsec VPN(CLI方式)
配置Juniper虚墙vSRX基于策略的IPsec VPN(CLI方式)
配置Juniper虚墙vSRX基于路由的IPsec VPN(WEB方式)
配置Juniper虚墙vSRX基于策略的IPsec VPN(WEB方式)
将Juniper虚拟防火墙vSRX部署在ESXi进行简单测试
轻轻松松达到1.8 Gbps,果然HCL还是搭配高档电脑更好使
Windows Server调整策略实现999999个远程用户用时登录
成了!Tesla M4+Windows 10+Anaconda+CUDA 11.8+cuDNN+Python 3.11