Slow speed within IPSec



  • Hello,

    I did found another thread similar to what I am experiencing however it looks like that case was related to incorrect calculations between MB/s and Mbps which I don't think is the case here.

    I have three locations with pfsense connected via IPSec tunnels. The Hi location is the main one, and contains 2 phase2 tunnels for Ma and Sha locations.
    I am experiencing issues with slow speed over these IPSec tunnels to both other locations. I have tried transferring files to check the speed I am getting - I included the results below along with a brief description of each location (speeds and pfsense version). I have also checked the WAN usage during the tests I performed and they were not hitting their maximum bandwidth.

    Examples:

    • Downloading file from Hi Location (upload 20Mbps) to Ma Location (download 50Mbps) runs at 1.08MB/s = 8.64 Mbps;
    • Downloading file from Hi Location (max upload 20Mbps) to Sha Location (max download 50Mbps) runs at 1.22MB/s = 9.76 Mbps;

    Locations:
    Hi Location: 100 Mbps down/ 20 Mbps up; pfsense 2.2.4
    Ma Location: 50 Mbps down/ 50 Mbps up; pfsense 2.2.4
    Sha Location: 50 Mbps down/ 10 Mbps up ; pfsense 2.3

    Is this a by-design limitation of some kind?
    Is there something that can be done in order to improve the speed within the IPSec tunnel?
    I was thinking about configuring Traffic shaper to prioritize IPSec on WAN however this will not speed thinks up within the tunnel. Perhaps I will try this.

    Please let me know if I am missing something. Any suggestions appreciated. Thank in advance.

    Arci



  • Did you notice any increased resource utilization?? CPU/RAM??

    Can you also check if your ISP does not put any sort of the QoS on VPN. In the UK some ISPs do that mainly for home users so VPN appear to be slow… Because you know VPN is a business thing...



  • I have not kept track of CPU/RAM usage however it looks normal to me.

    CPU usage: 1-2%
    Memory usage: 11%
    Load average: 0.03, 0.01, 0.00

    The ISP at Hi and Sha location is Comcast Business. From a short research it looks like Comcast should not throttle any connections (including VPN) as this is against their policy.

    Any other ideas?



  • I'm seeing something similar. We picked out Intel Core i5 CPUs for routers at both of our sites so we could use AES-NI for encryption. I haven't yet done extensive testing, but so far a transfer from the remote site with a 100Mpbs symmetric connection to my site with 100/10Mpbs is running at similar speeds to what you are getting, under 10Mpbs.



  • I also.  Comcast business 100/20.  Not seeing through-ipsec traffic exceed 10mb, in either direction.  File transfers (just using 'click and drag between a mapped drive and a local PC), transfers a 20mb file at the same speed in both directions .. but never exceeding 10mb.  I don't see a 'hard wall' cap, on the traffic graph, however.

    I have set up a 2nd VPN to a second data store area, to see if that changes anything. 
    We're using a pfsense.org 4820, I believe, and hardly touching CPU, processes, or memory.

    Head end VPN termination is on a Juniper SSG520 with about 80 configured VPNs.  The 2nd VPN I'm setting up goes to an SSG320, with only 2 VPN's configured.

    Juniper world has some TCP-MSS settings that can be used, but we haven't tried as yet.  Looks like MTU is set at 1500 across the board.  I suspect that may not be correct.

    Speed tests to speedtest.net, and our own speed test machine bring back almost full 100/20mb readings.  I'm always suspect of theses tests, however.  I wouldn't put it past Comcast to do a 'Volkswagon test' … where it detects the traffic pattern, notices it's a speed test, and allows it to go full bore, where other 'real' traffic may not.



  • What's your alg?

    Try using aes128/sha1 DH1 P1
    aes128/sha1 no PFS P2



  • I, too, am seeing poor performance over an IPSEC VPN tunnel. I have a 500Mbps pipe on one end and practically unlimited (1Gbps+) on the other. I am running a pfSense on each end, both running on VMWare with 2 CPU's and 4GB RAM with the VMWare tool package installed utilizing VMXNet3 NICs. When I run iPerf3 between two Windows hosts on the LANs (across the VPN), I get ~2.1Mbps throughput for the first packet, and then 0.0 for the remainder of the test.  I've tried various algorithms but they're all about the same.

    I've tried enabling and disabling hardware acceleration, tcp offload, etc…

    We are long-time Watchguard firewall users, but can only seem to get 320Mbps of throughput through the IPSEC VPN, so I wanted to try pfSense to see if it would be any faster... not looking very good so far.



  • https://doc.pfsense.org/index.php/Advanced_IPsec_Settings

    "Enable MSS clamping on VPN traffic: Enable MSS clamping on TCP flows over VPN. This helps overcome problems with PMTUD on IPsec VPN links. If left blank, the default value is 1400 bytes. This is useful is large packets have problems traversing the VPN, or if slow/choppy connections are observed across the VPN. Ideally it should be set on both sides, but traffic will have MSS clamping applied in both directions."

    Change for 1350 and test



  • @rlrobs:

    https://doc.pfsense.org/index.php/Advanced_IPsec_Settings

    "Enable MSS clamping on VPN traffic: Enable MSS clamping on TCP flows over VPN. This helps overcome problems with PMTUD on IPsec VPN links. If left blank, the default value is 1400 bytes. This is useful is large packets have problems traversing the VPN, or if slow/choppy connections are observed across the VPN. Ideally it should be set on both sides, but traffic will have MSS clamping applied in both directions."

    Change for 1350 and test

    Hello, having the same problem here, and changing the MSS clamping to 1400, 1350 or even 1300 didn't change anything unfortunately.

    As "feeling", it seems like in certain conditions the IPSec interface is limited to 10Mbps, or better, the communications between the IPSec interface are limited to 10Mbps, but this is just a feeling because I cannot find any limit anywhere.

    Thanks,
    Michele


Log in to reply