Premise: Users who choose tomigrate to virtual private networks(VPNs) for remote user access need toprovide their users with quick andreliable connections. Packet loss andhigh latency plague today’s Internet, especially when connecting via low-speed, dial-up modems. VPN vendorswho promote remote user access mustengineer their products to optimize theperformance of low-speed connections.Using the Internet as a transport forremote-user VPN tunnel sessions asopposed to more costly direct-diallines to a traditional remote accessserver, is a viable option if the productbeing used can effectively optimizedata transport over the Internet.

Indus River Networks, Inc. commis-sioned The Tolly Group to test its

RiverWorks Enterprise VPN againstNortel Networks’ Contivity ExtranetSwitch 4000 (CES 4000) and Time-Step Corp.’s PERMIT/Gate 7520.Tests were conducted to determine thesingle-tunnel throughput for IPSec and the point-to-point tunneling protocol(PPTP) connections over a simulatedInternet. Tests shipping ASCII text data across 56 Kbit/s links, and usingcompression where available, revealthat RiverWorks delivers an average20% to 60% greater IPSec throughputthan Nortel’s CES 4000 or TimeStep’s

50.34

65.41

80.49

0

10

20

30

40

50

60

70

80

90

Indus RiverRiverWorks

NortelCES 4000

TimeStepPERMIT/Gate 7520**

Thro

ughp

ut in

Kbi

t/s

Test Summary

Indus River Networks, Inc.RiverWorks™ Enterprise VPN ver. 1.2 ver-sus Nortel Networks Contivity ExtranetSwitch 4000 and TimeStep™ Corp. PERMIT/Gate™ 7520 VPN Tunneling Competitive Evaluation

© 1999 The Tolly Group Page 1

No. 199125 August 1999

m Delivers a single tunnel forwarding rate 23% faster than the Contivity Extranet Switch 4000 when using IPSec withTriple-DES encryption over a simulated 56 Kbit/s Internetconnection (ASCII data/compression enabled)

m Forwards traffic 60% faster over a single tunnel than thePERMIT/Gate 7520 when using IPSec with Triple-DESencryption over a simulated Internet connection with 1%packet loss and 200 ms round-trip latency

m Achieves a 50% faster forwarding rate over a single tunnelthan the Contivity Extranet Switch 4000 when using PPTPwith 128-bit encryption

Test Highlights

Source: The Tolly Group, August 1999 Figure 1

Single-Tunnel IPSec Application Throughput*ASCII Text Over 56 Kbit/s Link

(Compression Enabled)

TOLLYG R O U P

T H E

*Simulated Internet conditions of 200 ms delay, 1% packet loss.**The TimeStep PERMIT/Gate 7520 does not support compression.

PERMIT/ Gate 7520. Resultsalso demonstrate that RiverWorksdelivered 50% greater throughputwhen using PPTP than the CES4000. Testing was performed in June 1999.

Results

IPSec Throughput

Indus River Networks’ River-Works Enterprise VPN demon-strated superior throughput whentesting a single VPN tunnel sup-porting IPSec with Triple-DESencryption. In a simulated Internetwith 200 ms round-trip latencyand 1% packet loss, RiverWorksdelivered 80.49 Kbit/s while theCES 4000 averaged 65.41 Kbit/sthroughput and the PERMIT/Gate7520 delivered 50.34 Kbit/s. Testswere conducted using ASCII textdata with compression enabled overa 56 Kbit/s link with the exception

of TimeStep, whose product doesnot support data compression. Seefigure 1.

PPTP Throughput

The Tolly Group engineers per-formed a second set of tests thatshowed the RiverWorks EnterpriseVPN’s capability to display supe-rior performance when using thepoint-to-point tunneling protocol(PPTP) with 128-bit encryptionusing ASCII text data with com-pression enabled to exceed the 56Kbit/s link speed. In a simulatedInternet with 200 ms latency and1% packet loss, RiverWorksEnterprise VPN delivered through-put at a rate of 84.22 Kbit/s, whileNortel’s CES 4000 deliveredthroughput at 56.19 Kbit/s. Seefigure 2. TimeStep PERMIT/Gate7520 does not support PPTP andtherefore was not tested.

Note: Nortel Networks does notoffer its own PPTP client for theContivity Extranet Switch 4000,therefore engineers used theNortel-recommended MicrosoftDial-up Networking version 1.3PPTP client for testing.

Analysis

When moving traffic acrossVPNs, users typically employ twoof the primary, industry-standard tunneling methods — IPSec orPPTP. This test shows the resultsof a single tunnel test of a one-session loading on the tunnel server. Furthermore, the traffictype chosen, ASCII text, is highlycompressible and thus illustrateswell the potential benefits of compression. (Note: If files con-taining previously compresseddata, such as the output from theWINZIP utility, were shippedacross the link, effective through-

© 1999 The Tolly Group Page 2

The Tolly Group Indus River RiverWorksTM Enterprise VPN

56.19

84.22

0

10

20

30

40

50

60

70

80

90

Indus RiverRiverWorks

NortelCES 4000**

Thro

ughp

ut in

Kbi

t/s

Single-Tunnel PPTP Application Throughput*ASCII Text Over 56 Kbit/s Link

(Compression Enabled)

Source: The Tolly Group, August 1999 Figure 2

*Simulated Internet conditions of 200 ms delay, 1% packet loss.**The Nortel CES 4000 uses a Microsoft PPTP client.

put would be lower). Using thecombination of compression andTriple-DES encryption, engineersdemonstrated that RiverWorksEnterprise VPN has higherthroughput for text-based filetransfers, content that is similar towhat one would typically find inWeb newsgroup items.

When dealing with the low-speedlines of a telephone connection,typically a 56 Kbit/s leased line,users need to utilize products thatcan enhance the speed of theirdata throughput such as built-incompression, which makes theline appear faster than it really is.As this set of tests shows, not allVPN tunneling products offer the same compression algorithms— some don’t offer compressionat all. Products such as River-Works include built-in data com-pression resulting in the “effect”of a faster line.

When testing IPSec throughputperformance of what Indus Riverclassifies as the average perfor-mance level across the Internet,RiverWorks outperforms its com-petitors by more than 20%. River-Works clearly comes out as thesuperior product for handling VPNtunneling. This indicates that theRiverWorks user will haveincreased productivity due to theeffective throughput at the applica-tion layer. If the line appears faster,then it takes less time to transfer afile, so more tasks can get done.

Indus River chose to test theTimeStep PERMIT/Gate 7520although the product does not support compression to show thatthe market for RAS over theInternet demands compression inorder to achieve acceptablethroughput. Indus River wanted to show the inadequacy of a com-peting product if it doesn’t meet

a basic market requirement.

Users who choose to employproducts that support VPN tunnelsacross the Internet rather than adirect dial-up RAS line to theenterprise, need to know that theVPN will offer enterprise-classperformance. Testing showed that RiverWorks could establishand support reliable, high-performance VPN tunnels.

If one was to attempt to forward a1-Mbyte file over a single tunnelIPSec application link, it wouldtake RiverWorks approximately 13 minutes, while the same trans-fer would consume approximately16 minutes for the CES 4000 andapproximately 22 minutes for thePERMIT/Gate 7520. See figure 3.

If one was to attempt to forward a1-Mbyte file over a single tunnelPPTP application link, it wouldtake RiverWorks approximately 13 minutes versus approximately19 minutes for the CES 4000.

Test Configurationand Methodology

Engineers loaded Indus RiverNetworks, Inc. RiverWorksEnterprise VPN Client, River-Pilot version 1.2, Nortel Networks’Contivity Extranet Switch 4000Client Software version 2.50V02_10.06, Microsoft Corp.PPTP Client Software Windows98 version 1.3 and a TimeStepPERMIT/Gate 7520 ClientSoftware version 1.10 onto aSony 233-MHz Pentium PCmodel number PCG707. ThePentium was equipped with 64Mbytes of RAM. GanymedeSoftware Inc. Chariot version 2.2endpoint was attached to a NortelNetworks’ NetGear Ethernet con-centrator model number EN108TP. To simulate an Internet

© 1999 The Tolly Group Page 3

The Tolly Group Indus River RiverWorksTM Enterprise VPN

RiverWorks™ Enterprise VPN Product Specifications*

Tunneling Protocolsm IPSecm PPTPEncryption Algorithmsm DES (56-bit)m Triple-DES (168-bit)m RC4 compatible (40-bit and 128-bit)Compression Algorithmm Microsoft point-to-point compressionm Pre-encryption, stateful compressionAuthentication Algorithmsm MD5m SHA-1m MS-CHAPAuthentication Servicesm RiverWorks User List (MS-CHAP)m RADIUSm NT Domainsm Novell NDSm SecurID (ACE/Server)m Axent DefenderEncapsulated LAN Protocolsm IPm IPXm NetBEUI over TCPTunnel Server Capacitym 2,000 simultaneous tunnelsRouting Protocolsm RIP, RIP2m OSPFm Supports dynamic Virtual Network addressing,

local network addressing, or static routes

For more information contact:Indus River Networks, Inc.31 Nagog ParkActon, MA 01720Phone: 978-266-8100Fax: 978-266-8111E-mail: sales@indusriver.comURL: http://www.indusriver.com

*Vendor-supplied information not verified by The Tolly Group

Indus RiverNetworks, Inc.

RiverWorks™

EnterpriseVPN

VPNTunnelingCompetitive Evaluation

© 1999 The Tolly Group Page 4

The Tolly Group Indus River RiverWorksTM Enterprise VPN

environment, engineers connect-ed Shunra Software, Ltd.’s TheCloud, version 1.1, a software testtool which emulates a WAN envi-ronment. During these tests, TheCloud simulated a 56 Kbit/s linkinto an Internet-like environment.By introducing scenarios wherelatency and frame loss are presentwhile testing, engineers created“less-than-perfect” conditions. TheCloud was then connected to oneof the three VPN gateways undertest that were loaded onto a DSI233-MHz MMX Pentium desktopequipped with 64 Mbytes of RAMand supporting Microsoft Corp.Windows NT Workstation. See figure 4a and 4b.

The RiverWorks Enterprise VPNmodel number was RTS-5000 VPN gateway version 1.2 Build 30 and the Nortel Networks’Contivity Extranet Switch 4000VPN gateway was version

V02_10.06. TimeStep PERMIT/Gate 7520 model number PN r0-5077-01/f VPN gateway hardwareversion 2.1 and software version1.0 was used during testing.

A second Ethernet concentratorwas connected to the VPN gate-way under test that was config-ured with a generic desktop PCloaded with a Ganymede Systems,Inc. Chariot Console version 2.2and Windows NT Workstationwith Service Pack 3. Also con-nected to the concentrator was aToshiba Satellite Ethernet analyz-er model number 4020CDT ver-sion 3.0 loaded with NetworkAssociates NetXRay version 3.The NetXRay was used to vali-date and verify packet content.Engineers configured The Cloudfor periodic packet loss and fixedlatency to provide consistenciesduring testing. By using this con-figuration, the test can be repeat-

ed. When setting up The Cloud for“random loss and latency,” the testcannot be reproduced.

IPSec Throughput

For performance tests, The TollyGroup measured the throughputperformance of the three VPNsolutions under test when sup-porting a single user connectionto a VPN built over a simulatedInternet (as referenced above).Indus River’s RiverWorksEnterprise VPN, NortelNetworks’ Contivity ExtranetSwitch 4000 and TimeStep Corp.’s PERMIT/Gate 7520 wereconfigured for IPSec with Triple-DES encryption and a pre-sharedsecret key.

For IPSec Gateway testing, engineers initiated a unidirectionalbatch data transfer using Chariot2.2 filesndl.scr with The Cloud

16.3

21.9

13.3

0

5

10

15

20

25

Indus RiverRiverWorks

NortelCES 4000

TimeStepPERMIT/Gate 7520**

Tim

e in

min

utes

Single-Tunnel IPSec Application Throughput of a 1-Mbyte File*ASCII Text Over 56 Kbit/s Link

(Compression Enabled)

Source: The Tolly Group, August 1999 Figure 3

* Simulated Internet conditions of 200 ms delay, 1% packet loss.**The TimeStep PERMIT/Gate 7520 does not support compression.

using 200 ms with 1% packet loss. IPSec gateways were config-ured for IPSec with Triple-DESencryption, using the highest levelsupported by each individual system under test. The VPN proto-col and encryption were verifiedthrough the user interface. Engi-neers simulated application trafficfor a period of at least five minutesand recorded the results as reportedby the test system. Throughput wasrecorded by Chariot in Kbit/s.Engineers executed three consecu-tive iterations of each test andreported the average of each threeas the final test results.

PPTP Performance

The Tolly Group engineers con-ducted a second set of tests, usingPPTP on the RiverWorks Enter-prise VPN and the CES 4000.Since the CES 4000 does notinclude its own PPTPclient, engi-

neers used the Microsoft Dial-UpNetworking version 1.3 recom-mended by Nortel.

For PPTP Gateway testing, engineers used the same method-ology employed in IPSec through-put testing.

EquipmentAcquisition andSupport

The Nortel Networks ContivityExtranet Switch 4000 and theTimeStep PERMIT/Gate 7520were acquired through normal distribution channels. The TollyGroup contacted executives at thevendor companies and invitedthem to provide a higher level ofsupport than available throughnormal channels. Nortel declinedthe invitation stating that it wouldbe releasing a new VPN productin the future that is more properly

positioned for the test. TimeStepdid not decline but could not pro-vide a higher level of supportbecause it doesn’t support PPTPand does not support compressionfor IPSec tests. The software levelwas tested as supplied.

For a more complete understandingof the interaction between TheTolly Group, Nortel Networksand TimeStep Corp., check outthe Technical Support Diary for Competitive Products Testedposted on The Tolly Group’sWorld Wide Web site athttp://www.tolly.com. See document number 199125.

© 1999 The Tolly Group Page 5

The Tolly Group Indus River RiverWorksTM Enterprise VPN

Test Bed(Physical Environment)

Source: The Tolly Group, August 1999 Figure 4a

© 1999 The Tolly Group Page 6

The Tolly Group Indus River RiverWorksTM Enterprise VPN

Source: The Tolly Group, August 1999 Figure 4b

The Tolly Group gratefully acknowledges the providers of test equipment used in this project.

Vendor Product Web address Ganymede Software, Inc. Chariot http://www.ganymede.comNetwork Associates, Inc. NetXRay Sniffer http://www.nai.comShunra Software, Ltd. The Cloud http://www.shunra.com

Since its inception, The TollyGroup has produced high-quality tests that meet three overarching criteria: All testsare objective, fully document-ed and repeatable.

We endeavor to provide com-plete disclosure of informationconcerning individual producttests, and multiparty competi-tive product evaluations.

As an independent organization, The Tolly Group does notaccept retainer contracts from vendors, nor does it endorseproducts or suppliers. This open and honest environmentassures vendors they are treated fairly, and with the necessary care to guarantee all parties that the results ofthese tests are accurate and valid. The Tolly Group hascodified this into the Fair Testing Charter, which may beviewed at http://www.tolly.com.

Project Profile Sponsor: Indus River Networks, Inc. Document number: 199125Product class: VPN Tunnel Server Products under test: l RiverWorks Enterprise VPN version 1.2l Nortel Networks' CES 4000 version V02_10.06l TimeStep, Inc. PERMIT/ Gate 7520 hardware

version 21/software version 1.00Testing window: June 1999Software status: l Readily available

Additional information available:l Technical Support Diaryl Configuration Files

For more information on this document, or other servicesoffered by The Tolly Group, visit our World Wide Web siteat http://www.tolly.com, send E-mail to info@tolly.com,call (800) 933-1699 or (732) 528-3300.

Internetworking technology is an area of rapid growth and constant change. The Tolly Group conducts engineering-caliber testing inan effort to provide the internetworking industry with valuable information on current products and technology. While great care istaken to assure utmost accuracy, mistakes can occur. In no event shall The Tolly Group be liable for damages of any kind includingdirect, indirect, special, incidental, and consequential damages which may result from the use of information contained in this docu-ment. All trademarks are the property of their respective owners. The Tolly Group doc. 199125 rev. clk 11 Aug 99

Test Bed(Logical Environment)