How to measure the time needed to bring up an IPSec tunnel

Diabolicus23 · ‎09-09-2015

Do you know if it's possible to have a precise measure of the time needed in order to bring up an IPSec tunnel?

emnoc · ‎09-09-2015

That's almost hard to predict. It's like predicting when the 1st drop of rain would fall

Why do you need or think you need precise time? You hve factors from latency, how manyhops, & then response time from the initiator or responder to contend with.

Ken

PCNSE

NSE

StrongSwan

Diabolicus23 · ‎09-09-2015

I don't want to predict I'd like to "measure" a specific event during it occurs.

emnoc · ‎09-09-2015

Than measure the time of the 1st IKE packet sent as a initiator and the time the phase2 SPI are set. That time would very for all of the variable I mention before.

Ideally, you could run tshark and look at timestamps of a flow of packets for the IKE1 and ESP data. if you are critical you could use IKEv2 to maybe shave a few hairs off in "ms" but this is not going to be very noticeable to the end user & then you have the variable in either the initiator or responder & the layer3 path.

All I can tell you, ipsec-vpns are short in overall setup times than ssl-vpns.

YMMV

Ken

PCNSE

NSE

StrongSwan