why ssl vpn is slowly than ipsec vpn

wanglei · ‎01-05-2006

we have vpn 3020 provide webvpn and vpn client server.

we find when use vpn client access.it is fast,on the same client ,when use ssl vpn access .it 's slowly.

why is this happen.if the ssl encrypt arithmetic slower than ipsec?

how can i improve the ssl access rate.

thank you very much!

gfullage · ‎01-08-2006

It has not so much to do with the encryption as to the basic functions of how each type of VPN works.

A standard IPSec client VPN is fairly simple, encrypted packets come into the concentrator, they're decrypted in hardware and the entire decrypted packet is simply forwarded on into the the internal network. The same thing happens in the other direction. This can be done very fast.

SSL VPN on the other hand is a whole different process. Not only are the HTTPS packets decrypted, but the concentrator becomes basically a proxy server as well, having to inspect (and change) the data portion of the packet. Just look in your browser's URL location when browsing to a web site behind the VPN concentrator, the browser is actually pointing at the VPN concentrator, right? The VPN concentrator grabs this HTML packet, decodes it and then forwards it onto the internal web server. Any URL or location field within every HTML page also has to be modified so that it to points to the concentrator and not to straight to the internal server (which is inaccessible unless coming in over an SSL VPN). For example, let's say your internal web server main index page that has a bunch of links pointing to otehr pages on this server. Every one of those HTML tags, as it passes through the concentrator back towards your browser, has to be modified to point to . That way if you click on one of those links within the SSL VPN browser window the new request will also go to the VPN concentrator. You can see this simply by putting your cursor over any link on a web page that is being seen in a SSL VPN browse...

This process of decrypting the packet, checking its entire content, modifying it to point to the correct location and then sending it on is what slows everything down. It is also very CPU and memory intensive, which is why the numbers for total sessions and throughput are much lower for SSL VPN than for standard IPSec VPN.

There's not a whole lot you can do to improve the speed. Certainly if you have a lot of users or users that are doing a lot of SSL VPN functions then max out your memory to the highest possible, that will help. Other than that you have to accept that SSL VPN is a completely different product to IPSec VPN, it does a whole lot more work and will always run slower.

gfullage · ‎01-08-2006

Ignore my other reply, the HTML formatting went a little haywire.

It has not so much to do with the encryption as to the basic functions of how each type of VPN works.

A standard IPSec client VPN is fairly simple, encrypted packets come into the concentrator, they're decrypted in hardware and the entire decrypted packet is simply forwarded on into the the internal network. The same thing happens in the other direction. This can be done very fast.

SSL VPN on the other hand is a whole different process. Not only are the HTTPS packets decrypted, but the concentrator becomes basically a proxy server as well, having to inspect (and change) the data portion of the packet. Just look in your browser's URL location when browsing to a web site behind the VPN concentrator, the browser is actually pointing at the VPN concentrator, right? The VPN concentrator grabs this HTML packet, decodes it and then forwards it onto the internal web server. Any URL or location field within every HTML page also has to be modified so that it to points to the concentrator and not to straight to the internal server (which is inaccessible unless coming in over an SSL VPN). For example, let's say your internal web server main index page that has a bunch of links pointing to other pages on this server. Every one of those "A HREF='inside web server IP address/location'"HTML tags, as it passes through the concentrator back towards your browser, has to be modified to point to "A HREF='VPN concentrator IP address/location'". That way if you click on one of those links within the SSL VPN browser window the new request will also go to the VPN concentrator. You can see this simply by putting your cursor over any link on a web page that is being seen in a SSL VPN browser window, all the links on that page have been modified (by the concentrator) to point to the concentrator, not to the internal web server.

This process of decrypting the packet, checking its entire content, modifying it to point to the correct location and then sending it on is what slows everything down. It is also very CPU and memory intensive, which is why the numbers for total sessions and throughput are much lower for SSL VPN than for standard IPSec VPN.

There's not a whole lot you can do to improve the speed. Certainly if you have a lot of users or users that are doing a lot of SSL VPN functions then max out your memory to the highest possible, that will help. Other than that you have to accept that SSL VPN is a completely different product to IPSec VPN, it does a whole lot more work and will always run slower.