How we did it

By Joel Snyder
Network World, 10/01/01

We used equipment from Cubix and Spirent Communications to build a test bed surrounding the VPN security gateways under test. We used the Cubix Density system running custom software to create VPN tunnels, verify connectivity between the gateways, measure up-time and display the full connectivity matrix.

We developed our test methodology with engineers from the VPN Consortium and will present a demonstration of this interoperability test at the upcoming VPNCON trade show in Alexandria, Va., from October 15-18.

We created an IP Security (IPSec) profile, which we believe a prudent network manager would want for a corporate VPN network.

This profile included Internet Key Exchange encryption algorithm of Triple-Data Encryption Standard and authentication of secure hash algorithm 1 (SHA-1) using Diffie-Hellman Group 2 (MODP-1024) and a lifetime of 8 hours; IPSec encryption algorithm was Triple-DES, authentication was SHA-1, perfect forward secrecy was enabled for Diffie-Hellman Group 2, and lifetime was one hour.

Our test bed comprised multiple data centers and branch offices with switches, routers and firewalls. We tested the interoperability of each product against every other VPN product both in setting up initial VPN connections and in maintaining long-term operation over a few days. Specifically, we rated how each product worked with each other product, with our certificate authority and popular VPN client software, and how well different VPN authentication methods worked in our hypothetical network.

To handle authentication of the security association, we used an Entrust public-key infrastructure (PKI) to pass out digital certificates to each security gateway. Because Entrust's PKI corners a significant share of the market, it was reasonable to expect all devices to support it, at least in manual enrollment mode. Some devices supported simple certificate enrollment protocol enrollment to our Entrust PKI; with others, we used manual enrollment to the Entrust server. We used preshared secrets for authentication in cases where the security gateway did not support digital certificates (or our Entrust PKI).

To capture performance for these devices, we used a set of six Nokia CryptoCluster 5200 gateways against each system being tested. This configuration is sufficient to saturate a 100M bit/sec full-duplex Ethernet network with 64-octet packets. We generated User Datagram Protocol (UDP) packets of various sizes using Smartbits gear and off-the-shelf test software, and measured when loss went above 0.1% using a precision of 2M bit/sec.

Back to the main review