Implementation and Performance Evaluation of IPSec VPN Based on Netfilter

We mainly explore two problems when combining IPSec module into TCP/IP stack by porting the famous IPSec software (FreeS/WAN) into a security gateway. One is how to implement the IPSec module based on Netfilter in Linux 2.4.x kernel. The other problem is the performance evaluation. We test the throughput of our security gateway before and after applying IPSec with different encryption/decryption algorithms, including the software-based and hardware-based method. With these testing data, we analyze further system performance bottleneck. In the end, we also infer the quantitative relation between the system throughput and the speed of encryption/decryption algorithm and propose some valuable conclusions for improving performance.