slow transfer speeds ove ipsec
-
@hescominsoon Can you list all of your IPsec settings in detail (other than IP addresses)?
-
@planedrop i put everything back to defaults..deleted the big file and am using filezilla to transfer everything to an ftp server i setup on the destination temporarily. i have 10 transfers going at once and am touching 220 megabits now..which is nearly the bandwidth at the remote iirc(the source just got upgraded to 500 megabits)...i will tinkert some more but so far the only change i am running now is the gcm version of aes..literally everything else is at defaults
-
@hescominsoon No I mean your settings for the IPsec tunnel itself, there aren't "defaults" you have to configure things.
For example, is your Phase 1 IKE V2? What authentication method? AES128-GCM but what is the Key Length and DH Group set to?
I think the best way we can help is if we have a list of every setting that is configured on your tunnel for both phase 1 and phase 2. Then we can give better advice on what to adjust to improve performance.
-
@hescominsoon now the 71 is using up to 56 percent cpu..i am ok with that at least i am seeing decent performance...:)
-
@planedrop said in slow transfer speeds ove ipsec:
@hescominsoon No I mean your settings for the IPsec tunnel itself, there aren't "defaults" you have to configure things.
For example, is your Phase 1 IKE V2? What authentication method? AES128-GCM but what is the Key Length and DH Group set to?
I think the best way we can help is if we have a list of every setting that is configured on your tunnel for both phase 1 and phase 2. Then we can give better advice on what to adjust to improve performance.
i am using and AES-NI CPU Crypto: Yes (active)
IPsec-MB Crypto: Yes (active) sha 256 dh group 14 aes-gcm 128 that's what is in phase 1 i am using psk for authentication the key kength is 128 as per aes-128.... -
@planedrop yes ike is v2 which is what the system setup by default...:)
-
so now with everything as the system did by default when i first setup the vpn(with the exception of switching to aes gcm 128 instead of regular aes-128) and using ftp with 10 simultaneous transfers i am seeing a maximum of 400 megabits...which works much better.
-
@hescominsoon glad it's working better. GCM is far more efficient and is the way to go if you care about speed.
As for key length, I was asking about that setting because the key length setting actually becomes the ICV when you use AES GCM (it just doesn't dynamically rename itself).
Also, if you care about security, I would recommend using DH21 instead, 14 is fine but 21 is a good amount more secure.
Glad you are seeing better performance though, that is almost certainly due to GCM being used.
-
@planedrop said in slow transfer speeds ove ipsec:
@hescominsoon glad it's working better. GCM is far more efficient and is the way to go if you care about speed.
As for key length, I was asking about that setting because the key length setting actually becomes the ICV when you use AES GCM (it just doesn't dynamically rename itself).
Also, if you care about security, I would recommend using DH21 instead, 14 is fine but 21 is a good amount more secure.
Glad you are seeing better performance though, that is almost certainly due to GCM being used.
i will switch it to 21 once this half terabyte transfer completes..i am way behind now trying to get the performance worth using...:)
-
@hescominsoon Totally get you yeah. 14 is still considered secure but may not be considered so for much longer, so I'd say no rush on it but yeah swap to 21 when you can. You shouldn't really see much of a performance degradation with it either, if any at all.
I'd recommend 21 for both Phase 1 and 2.
-
@planedrop said in slow transfer speeds ove ipsec:
@hescominsoon Totally get you yeah. 14 is still considered secure but may not be considered so for much longer, so I'd say no rush on it but yeah swap to 21 when you can. You shouldn't really see much of a performance degradation with it either, if any at all.
I'd recommend 21 for both Phase 1 and 2.
for giggles i paused the ftp transfers and switched back to regular aes...and performance is the same as with gcm set...make any sense?
-
once the ransfers done i wil post a detailed list of the ipsec vpn config...
-
I usually follow these settings: https://docs.netgate.com/pfsense/en/latest/vpn/performance.html
Sometimes I have to use AES-CBC instead, if the other side is a mikrotik for an example. No problems with performance..
-
@mcury said in slow transfer speeds ove ipsec:
I usually follow these settings: https://docs.netgate.com/pfsense/en/latest/vpn/performance.html
Sometimes I have to use AES-CBC instead, if the other side is a mikrotik for an example. No problems with performance..
i will check that out...i did make sure both phase 1 and phase 21 on both ends were set to aes-gcm 128...:)
-
@hescominsoon When accelerated AES-GCM will always be faster, so I'm wondering if something else was wrong with the previous configuration. AES-CBC can still be quick, but it's not going to be as fast as GCM.
-
@planedrop said in slow transfer speeds ove ipsec:
@hescominsoon When accelerated AES-GCM will always be faster, so I'm wondering if something else was wrong with the previous configuration. AES-CBC can still be quick, but it's not going to be as fast as GCM.
so i went through those items in the documentation and put those into place...we shall see how it helps...:)_
-
@planedrop said in slow transfer speeds ove ipsec:
@hescominsoon When accelerated AES-GCM will always be faster, so I'm wondering if something else was wrong with the previous configuration. AES-CBC can still be quick, but it's not going to be as fast as GCM.
well now..those small changes have helped..now i am getting bursts to maxing out the connection...since it's a series of small transfers it's not there all the time but those have definitely helped. i will do a large file transfer over smb later..although i know it won't be nearly as fast...:)
-
@hescominsoon Glad it's working better now. SMB will definitely be slower but should be far more usable.