1GB fiver link over IPSec
-
I have two site with 1gb fiber links. Tunnels are up and passing traffic. However I am only getting around 5.5-6.5 MB/sec when transfering over the links. Is that is a limitation in pfsense.
I called the fiber vendor and everything is set correctly.
-
I have two site with 1gb fiber links. Tunnels are up and passing traffic. However I am only getting around 5.5-6.5 MB/sec when transfering over the links. Is that is a limitation in pfsense.
I called the fiber vendor and everything is set correctly.
There no hardcoded limitation anywhere, except hardware limitations. You have to provide with more information before anyone can guide you. In theory you can see speeds around 800/900 mbit/s for a 1gbit/s when using AES-NI with AES-128-GCM plus some good CPU cores.
-
As laped said, we need to know your hardware specs.
-
Intel(R) Xeon(R) CPU X3450 @ 2.67GHz
8 CPUs: 1 package(s) x 4 core(s) x 2 SMT threads4GB ram.
CPU usage goes to a max of 8% when i transfer a file.
How can i route traffic from site a to site b
Site A LAN 192.168.0.0 / 24 Site B LAN 10.33.217.0 /24
Gateways are 192.168.0.253 and 10.33.217.253.
Direct link for fiber is 172.16.1.252 /24 and 172.16.1.253 /24
Do i just create a gateway from interface of the site to site (172.16.1.252 to othet side 172.16.1.253 or do each site need to be own differencrt subnets -
SITE A
WAN 1.1.1.1
LAN 192.168.0.253
DATA 10.10.10.253
VOICE 10.10.20.253
WIRELESS 10.10.30.253
PRINTERS 10.10.40.253
GUESTWIRELESS 10.10.50.253
SITETOSITE 172.16.1.253
SITE BWAN 71.14.226.66
LAN 10.33.217.253
DATA 10.50.10.253
VOICE `10.50.20.253
WIRELESS 10.50.30.253
PRINTERS 10.50.40.253
GUESTWIRELESS 10.50.50.253
SITETOSITE 172.16.1.252 -
SITE A
WAN 1.1.1.1
LAN 192.168.0.253
DATA 10.10.10.253
VOICE 10.10.20.253
WIRELESS 10.10.30.253
PRINTERS 10.10.40.253
GUESTWIRELESS 10.10.50.253
SITETOSITE 172.16.1.253
SITE BWAN 71.14.226.66
LAN 10.33.217.253
DATA 10.50.10.253
VOICE `10.50.20.253
WIRELESS 10.50.30.253
PRINTERS 10.50.40.253
GUESTWIRELESS 10.50.50.253
SITETOSITE 172.16.1.252We dont need all your IP information it doens't tell anything about how IPsec has been configured..
What are you using for authentication and encryption for IKE_SA, IPSEC_SA etc….
Have you enabled AES-NI.
What are you using to test transfer speed?.. Dragging af folder in windows tells nothing. Use iperf for testing purposes.
Use wireshark to test if pakets gets fragmented. If they are reduce the MTU size for IPsec packets.
-
Sorry the the missing info
Phase One Auth is
Authentication Method Mutal PSK
Negotiagation Mode MainPhase One Algorithms
Encryption Algorithm AES 256 bits
Hash Algorithm SHA256
DH Key 2 (1024 bit)
Phase 2
Phase 2 Proposal (SA/Key Exchange)
Protocol ESP
Encryption Algorithms AES 256bits
Has is SHA256
Have you enabled AES-NI. –------------ No i have not. Do you have to have a crypto accelerator
What are you using to test transfer speed?. I am transfering a 2GB file accross the Tunnel.
I will run wireshark and posts the results
-
Sorry the the missing info
Phase One Auth is
Authentication Method Mutal PSK
Negotiagation Mode MainPhase One Algorithms
Encryption Algorithm AES 256 bits
Hash Algorithm SHA256
DH Key 2 (1024 bit)
Phase 2
Phase 2 Proposal (SA/Key Exchange)
Protocol ESP
Encryption Algorithms AES 256bits
Has is SHA256
Have you enabled AES-NI. –------------ No i have not. Do you have to have a crypto accelerator
What are you using to test transfer speed?. I am transfering a 2GB file accross the Tunnel.
I will run wireshark and posts the results
Okay can see that you dont have AES-NI available on your CPU instruction set, but you should be able to some around 200 mbit/s without. Maybe you can see something wierd testing with iperf and with wireshark. Your encryption seems fine except DH 2 is weak and should be changed to a least 2048. Maybe changing from IKEv1 to IKEv2 should give better results too.
-
I dont seee where to change from IKEv1 to IKEv2.
-
Never mind I am blind haha ;D