How do VPN Configurations Affect Speed?

Security
1

Is one Cisco configuration for VPN faster than another?
For example, AnyConnect, Easy VPN, Network Client Access, Clientless SSL, IPsec IKEv1 v IKEv2, etc.
What are some primary things that affect VPN speed other than adjusting the MTU?

2

Hello Mark

There is no clear order in which we can place your list of technologies, and there are several reasons for this. First of all, AnyConnect, EasyVPN, and Network Client Access are all tools that can be used to create VPN configurations. These configurations can have varying parameters that can affect the speed of the connection. Clientless SSL is also a feature of the ASA that can have varying parameters but is only limited to web traffic, so speed comparisons with other traffic cannot be made. IPSec is a whole suite of protocols that can be used by VPNs that can also be configured with varying parameters that will affect speed.

The major components that affect speed include:

  1. Overhead - This is the amount of additional headers and information that is sent along with the data in order to regulate the encryption, tunnelling, and management of the VPN connection. For example, IPSec can add anywhere from 24 to 58 bytes of overhead per packet depending on how it is set up.
  2. Overhead can lead to fragmentation - This is where the MTU that you mention comes in. If not configured correctly, the overhead could cause fragmentation of IP packets which results in an increase in CPU and memory usage (since you now have to deal with two or more packets at every part of the path they take instead of one).
  3. Encryption and Authentication - The protocols and algorithms used for encryption and authentication (if they are applied) will cause an increase in the use of CPU and memory at both the sender and the receiver. This will slow down transmission depending on the resources available to the hosts involved in the transmission.
  4. The type of traffic - The type of traffic will also affect efficiency. If you are using VoIP where packets are typically between 60 and 120 bytes in size, an increase in overhead of 58 bytes will increase packet sizes by almost 100% in some cases, which is a drastic drop in efficiency.

In order to determine which is best, you have to look at the particulars of the options you have available, and choose the technologies that will lower overhead, will improve encryption efficiency, and will provide the appropriate level of security for your application.

I hope this has been helpful.

Laz