Performance Evaluation for Remote Access VPNs on Fedora Core 6

Ahmed A. Jaha, Fathi Ben Shatwan, and Majdi Ashibani

The Higher Institute of Industry, Misurata, Libya
goha_99@yahoo.com

Abstract telecommunication infrastructure, maintaining privacy

through the use of a tunneling protocol and security
A Virtual Private Network (VPN) can be defined as procedures. VPN systems provide users with the
a way to provide secure communication between illusion of a completely private network. An IP Virtual
members of a group through use of the public Private Network (IPVPN) can be defined as a VPN
telecommunication infrastructure, maintaining privacy implementation that uses public or shared IP network
through the use of a tunneling protocol and security resources to emulate the characteristics of an IP-based
procedures. This work examines and empirically private network.
evaluates the remote access VPNs, namely Point to The main purpose of a VPN is to give enterprises
Point Tunneling Protocol (PPTP), Layer 2 Tunneling the same capabilities, or even better, as in private
Protocol over Internet Protocol Security networks, but at a much lower cost. Enterprises benefit
(L2TP/IPSec), and Secure Socket Layer (SSL). We from VPN in reducing the cost, increasing the
explore the impact of these VPNs on end-to-end user scalability, and increasing the productivity, with out
application performance using metrics such as impairing the security [1].
throughput, RTT, jitter, and packet loss. All VPN should provide authentication, access control,
experiments were conducted using wired and wireless confidentiality, and data integrity to ensure security of
windows XP SP/2 host (VPN Client) connected to a the data. It is also possible to similarly deploy VPNs
fedora core 6 host (VPN Server). on a wireless network infrastructure to secure
transmission between wireless clients and their wired
Keywords- VPN; PPTP; L2TP; IPSec; SSL; OpenVPN; enterprise network.
WLAN; performance evaluation.

1. Introduction 2. Tunneling Basics

Tunneling is a method of using an internetwork
In the past, organizations or enterprises would
infrastructure to transfer data for one network over
physically install lines over large distances to ensure
another network. Instead of sending a payload as it is
secure data transfer. However, this system is
produced by the originating node, the tunneling
impractical for every enterprise and everyday users due
protocol encapsulates the payload in an additional
to the cost, space, and time required for such
header. The additional header provides routing
installations. In recent years, with the exponential
information so that the encapsulated payload can
growth of the Internet, the landscape of
traverse the intermediate internetwork. The
telecommunications has changed radically and the
encapsulated payloads are then routed between tunnel
Internet has become part of almost every aspect of the
endpoints over the internetwork. The logical path
developed world including education, banking,
through which the encapsulated payloads travel
business, and politics. Over the past two decades the
through the internetwork is called a tunnel. Once the
public Internet has been found to be vulnerable to
encapsulated payloads reach their destination on the
attackers seeking sensitive information. The most
internetwork, the payloads are decapsulated and
recent solution to this problem has been IP-based
forwarded to its final destination. Tunneling includes
Virtual Private Network (IPVPN).
this entire process (encapsulation, transmission, and
A Virtual Private Network (VPN) can be defined as
decapsulation of packets) as shown in figure 1.
a way to provide secure communication between
members of a group through use of the public
 3.2.2. Extranet Site to Site VPN. When an enterprise
has a close relationship with another enterprise
(partner, supplier or customer), it can build an extranet
VPN which connects LANs together.

4. Remote Access VPN Protocols

To establish a connection, both the client and the
server must be using the same VPN protocol [2].

4.1. Point to Point Tunneling Protocol (PPTP)

PPTP is a standard tunneling protocol developed by

Figure 1. Tunneling PPTP Forum which consists of Microsoft and some
other remote access vendors. Basically, PPTP is an
3. Architecture of VPN extension of Point to Point Protocol (PPP), which
encapsulates PPP frames in IP datagrams for
A VPN should typically support the following transmission over an IP-based network [3].
architecture as shown in figure 2.
4.2. Layer Two Tunneling Protocol (L2TP)
3.1. Remote Access VPN
L2TP is a combination of PPTP and Layer Two
The remote access VPN is a user-to-LAN Forwarding (L2F). Rather than having two
connection used by enterprises that have employees incompatible tunneling protocols competing in the
who need to connect to their private network from marketplace and causing customer confusion, the IETF
various remote locations (e.g. homes, hotel rooms, mandated that the two technologies be combined into a
airports). single tunneling protocol that represents the best
features of both [4].
3.2. Site to Site VPN
4.3. Internet Protocol Security (IPSec)
Site-to-site VPN is a LAN-to-LAN connection used
by enterprise to connect multiple sites together. IPSec is a framework of IETF open standards aim
at securing traffic on the network layer. It does not
3.2.1. Intranet Site to Site VPN. If an enterprise has specify the authentication and encryption protocol to
one or more branch offices that they wish to join in a use. This makes it flexible and able to support new
single private network, they can create an intranet authentication and encryption methods as they are
VPN. developed [5].

4.4. Secure Socket Layer (SSL)

SSL is a higher-layer security protocol developed

by Netscape. SSL is commonly used with HTTP to
enable secure Web browsing, called HTTPS. However,
SSL can also be used to create a VPN tunnel. For
example, OpenVPN is an open-source VPN package,
which uses SSL to provide encryption of both the data
and control channels.

5. Test Beds and Measurement Procedures

The work in this paper is based on two test beds
Figure 2. VPN architecture
were built to evaluate the performance of wired and
wireless remote access VPNs on fedora core 6 VPN
server. The hardware and software components of This node is loaded with windows XP
these test beds are listed in tables 1 and 2 and the SP/2. New connection wizard is used to
connections of these test beds are shown in figures 3 configure this node to act as PPTP VPN
and 4. client that is connected to vpn01Server
node with MS-CHAPv2 authentication
Table 1. Test beds hardware components algorithm, MPPE encryption algorithm,
Node Description and no compression algorithm [6].
New connection wizard is used to
Desktop equipped with double Genuine
configure this node to act as L2TP/IPSec
Intel 2600 MHz processor, 512 Mbytes
VPN client that is connected to
of RAM, and VIA Rhine II Compatible vpn01Client
dc01Server vpn01Server node with preshared key,
Fast Ethernet Adapter built-in network
MD5-CHAP authentication algorithm,
interface card. It is act as a domain
ESP-3DES encryption algorithm, and no
controller server.
compression algorithm [6].
Desktop equipped with double Genuine OpenVPN-2.0.9.exe is installed to
Intel 3000 MHz processor, 512 Mbytes configure this node to act as SSL client
of RAM, Broadcom Extreme Gigabit that is connected to vpn01Server with
Ethernet built-in network interface card, preshared key, SHA1 authentication
vpn01Server
and VIA VT6105 Rhine III Compatible algorithm, 3DES encryption algorithm,
Fast Ethernet Adapter network interface and no compression algorithm [10].
card. It is act as a domain client and
VPN server.
Laptop equipped with Genuine Intel
1866 MHz processor, 512 Mbytes of
RAM, Broadcom 440x 10/100 Integrated
vpn01Client controller built-in network interface
card, and Intel(R) PRO/ Wireless
2200BG network connection. It is act as
a VPN client.
LINKSYS, wireless-G Access Point with
Access Point
SES model WAP54G.
HUB LANTECH, Ethernet 10 BASE-T HUB.
Figure 3. Wired test bed connections
Table 2. Test beds software components
Node Description
This node is loaded with windows server
2003. Configure your server wizard is
dc01Server
used to configure this node to act as a
domain controller server [6].
This node is loaded with fedora core 6.
Pptpd-1.3.3-1.fc6.i386.rpm is installed
to configure this node to act as PPTP
VPN server [7], xl2tpd-1.1.09-
1.i386.fc6.rpm and OpensWan-2.4.5-2.1
vpn01Server Figure 4. Wireless test bed connections
are installed to configure this node to act
as L2TP/IPSec VPN server [8][9], and
OpenVPN-2.0.9.tar is installed to During our experiments, the following parameters
configure this node to act as SSL VPN were used to quantify the QoS services provided [11]:
server [10]. • Throughput is the rate at which bulk of data
transfers can be transmitted from one host to
another over a sufficiently long period of time.
• Round Trip Time (RTT) is the amount of time it 6.3. UDP throughput
takes one packet to travel from one host to another
and back to the originating host. UDP throughput is measured according to
• Packet delay variation (Jitter) is measured for transmission rate of packets. The same experiments
packets belonging to the same packet stream and were repeated a number of times to find the average
shows the difference in the one-way delay that UDP throughput. The results of these experiments are
packets experience in the network. Jitter is presented in figure 8. This figure indicates clearly that
effectively a variation of packet delay where delays the UDP throughput values of the wired PPTP, the
actually impact the quality of service. wired L2TP/IPSec, the wireless PPTP, and the wireless
L2TP/IPSec are equal to the transmission rate if the
• Packet loss is measured as the portion of packets transmission rate is less than 8000 kbits/sec and less
transmitted but not received in the destination
than the transmission rate if the transmission rate is
compared to the total number or packets
more than 8000 kbits/sec. In addition, this figure
transmitted.
indicates clearly that the UDP throughput values of the
wired OpenVPN and the wireless OpenVPN are equal
6. Experimental Results to the transmission rate if the transmission rate is less
than 200 kbits/sec and less than the transmission rate if
Iperf tool is used to measure TCP Throughput in the transmission rate is more than 200 kbits/sec. Also,
TCP mode and UDP throughput, jitter and packet loss this figure indicates clearly that the UDP throughput
in UDP mode [12]. Hrping tool is also used to measure values of the wired OpenVPN and the wireless
RTT [13]. The following results were collected from OpenVPN is always less than 500 kbits/sec.
the two test beds were illustrated in section 5.
6.4. Jitter
6.1. TCP Throughput
Jitter is measured according to the transmission rate
TCP throughput is measured according to TCP of packets. The same experiments were repeated a
window size and time of test. The same experiments number of times to find the average Jitter. The results
were repeated a number of times to find the average of these experiments are presented in figure 9. This
TCP throughput. The results of these experiments are figure indicates clearly that the wired PPTP, the wired
presented in figures 5 and 6. These figures indicate L2TP/IPSec, the wireless PPTP, and the wireless
clearly that the wired PPTP has produced the best L2TP/IPSec have produced a low Jitter values. Also,
value, the wired OpenVPN has produced the second this figure indicates that the wired OpenVPN and the
value, the wired L2TP/IPSec has produced the third wireless OpenVPN have produced a high Jitter values
value, the wireless PPTP has produced the forth value, if the transmission rate is more than 200 kbits/sec.
the wireless OpenVPN has produced the fifth value,
and the wireless L2TP/IPSec has produced the lowest 6.5. Packet loss
value.
Packet loss is measured according to the
6.2. Round Trip Time (RTT) transmission rate of packets. The same experiments
were repeated a number of times to find the average
RTT can be measured by sending packets with a Packet loss. The results of these experiments are
variant packet size from a client to the server. The presented in figure 10. This figure indicates clearly
same experiments were repeated a number of times to that the wired PPTP, the wired L2TP/IPSec, the
find the average RTT. The results of these experiments wireless PPTP, and the wireless L2TP/IPSec have
are presented in figure 7. This figure indicates clearly produced a low Packet loss values. Also, this figure
that the wired PPTP has produced the best value, the indicates clearly that the wired OpenVPN and the
wired OpenVPN has produced the second value, the wireless OpenVPN have produced a high Packet loss
wired L2TP/IPSec has produced the third value, the values if the transmission rate is more than 200
wireless PPTP has produced the forth value, the kbits/sec.
wireless OpenVPN has produced the fifth value, and
the wireless L2TP/IPSec has produced the last value.
Figure 5. TCP throughput according to the Figure 8. UDP throughput according to the
window size transmission rate.

Figure 6. TCP throughput according to the Figure 9. Jitter according to the transmission
time of test rate.

Figure 7. RTT according to the packet data Figure 10. Packet loss according to the
size. transmission rate.
 The experimental results of the two test beds are summarized in table 3.
Table 3. Summary of the experimental results
TCP throughput
Best 2nd 3rd 4th 5th lowest
Wired Wired Wired Wireless Wireless Wireless
PPTP OpenVPN L2TP/IPSec PPTP OpenVPN L2TP/IPSec
Round Trip Time (RTT)
Best 2nd 3rd 4th 5th last
Wired Wired Wired Wireless Wireless Wireless
PPTP OpenVPN L2TP/IPSec PPTP OpenVPN L2TP/IPSec
UDP throughput
High Low
Wired Wired Wireless Wireless Wired Wireless
PPTP L2TP/IPSec PPTP L2TP/IPSec OpenVPN OpenVPN
Jitter
Low High
Wired Wired Wireless Wireless Wired Wireless
PPTP L2TP/IPSec PPTP L2TP/IPSec OpenVPN OpenVPN
Packet loss
Low High
Wired Wired Wireless Wireless Wired Wireless
PPTP L2TP/IPSec PPTP L2TP/IPSec OpenVPN OpenVPN

7. Conclusion and Future Work This work should be extended to include

performance evaluation of the remote access VPNs on
This paper has presented an experimental other software (such as BSD, Mac, and Solaris) and
performance evaluation for the wired and the wireless hardware (such as 3Com, ADTRAN, Cisco, and
remote access VPNs, namely PPTP, L2TP/IPSec, and Juniper) VPN servers. The OpenVPN needs to be
OpenVPN on fedora core 6 VPN server. From the manipulated to improve it’s performance with UDP-
results that were collected from the test beds and the based user applications.
user applications requirements, the following
conclusion remarks are gained: References
• Due to the smallest overhead packets that have
been introduced by PPTP, PPTP has produced the [1] Rezan Fisli, “Secure Corporate Communications over
best performance values for both TCP and UDP- VPN-Based WANs,” Master degree project, Royal
based user applications. Institute of Technology, Sweden, 2005.
[2] Jon C. Snader, “VPNs ILLUSTRATED: Tunnels,
• In order to have strong security, L2TP/IPSec VPNs, and IPSec,” Addison-Wesley, 2006.
combines L2TP's tunnel with IPSec's secure [3] RFC 2637, “PPTP,” IETF, ftp://ftp.isi.edu/in-notes
channel which increases the overhead packets. So, /rfc2637.txt, 1999.
L2TP/IPSec has produced a good performance [4] RFC 2661, “L2TP,”IETF, ftp://ftp.isi.edu/in-notes
values for both TCP and UDP-based user /rfc2661.txt, 1999.
applications. [5] RFCs 2401-2411, and 2451, “IPSec,” IETF,
ftp://ftp.isi.edu/in-notes/, 1999.
• Because OpenVPN was written as a user space [6] http://www.microsoft.com, 2007.
daemon rather than a kernel module, OpenVPN has [7] http://sourceforge.net/project/showfiles.php?group_id=4
produced a low performance values in high traffic 4827, 2007.
environments for the UDP-based user applications. [8] http://www.xelerance.com/software/xl2tpd, 2007.
• The wireless testbed performance values indicate [9] http://www.openswan.org, 2007.
[10] http://openvpn.net/download.html, 2007.
that the deployment of VPNs on a wireless network
[11] IP Performance Metrics (IPPM) Working Group, IETF,
infrastructure could be considered as an acceptable
http://www.ietf.org/html.charters/ippm-charter.html.
choice to secure transmission between wireless [12] http://dast.nlanr.net/projects/IPerf, 2007.
clients and their wired enterprise network. [13] http://www.cfos.de, 2007.