More IPSEC woes…. Horrible performance



  • I have spent 3 days now trying to understand what might be causing the problems on the VPN we have.

    Connection is point to point.

    Site A Supermicro Xeon server with virtual pfsense. 3.2.1_5
    Site B is a APU running 2.2.6

    iperf is able to push the VPN to the max of site B which is 10mbit

    Windows files transfer or robocopy fluctuates around 1.5 mbit

    When I changed from AES 128 to 3DES I was able to push the throughput of windows transfer up to 3-4 mbit

    My real issue is that a thin client application that uses SQL in the background is having the most issues.  When performing a query from site B (Client) to Site A (Server) the process can take upwards of 60 seconds to complete the query in the app.  Using a computer local to the server (Site A) the query is pretty much instantaneous.  Also when performing the query from Site B we do not record any kind of significant traffic during the query.

    Any suggestions would be helpful!



  • Enable MSS clamping if you haven't already. Outside of that, you're getting the line capacity with iperf, so the VPN itself isn't to blame. Windows file transfers perform horribly with high latency. Guessing the bulk of it's attributable to that, with anything to do with SMB at least. The SQL part might be fixed by MSS clamping, but hard to say from that what it might be.



  • Are there any recommended values or is it ok to try anything?  Site A is in a datacenter (OVH) with ethernet handoff of 1GB inbound and 500mbit outbound.  Are there any questions I could as the datacenter that might help determine the value I might want to enter?

    Site B is 10mbit fiber from ATT

    Latency is 70-80ms



  • 1400 should be fine.



  • We needed up with using 1280 MTU for IPsec but we have many mobile clients using modem.

    Some good reading about the subject can be found here:

    https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/



  • I am going to try changing the MTU to 1400 tonight.

    What is interesting is when I switched to 3des/sha1 from AES on the APU I was able to pass 3-4 mbit on windows file transfers compared to maximum 1.5 on AES 128/Sha1