IPSEC performance? tinc?
bobkoure last edited by
I've got IPsec tunnels up between two locations, and performance isn't what I'd hoped.
Both offices have SG2440s
Both sites have multiple ISPs (so gateway groups and fail-over)
For original setup / simplicity, IPSEC tunnels just use 1 ISP at each site
site 1 ISP1 has 20/20
site 2 ISP1 has 100/100
When I test with LANSpeedTest https://totusoft.com/lanspeed I get 3Mbps
For judging SMB overhead, when I test against a local file server I get 730Mbps
I have AES-ni instructions available on both ends, and am using AES-128 / AES-XCBC / DH2
I have recently moved from Snapgear SG580s (Linux based) because those processors did not have AES-ni, and so I was using 3DES., which was slow, but not this slow - in the 5Mbps over these same connections.
So, what am I doing wrong? Looks like I've somehow pessimized my IPSEC connections :-[
I've tried all sorts of combinations of encryption/hash algorithms and don't see any improvement.
BTW, with the Snapgears, I had PFS on. I have it off on pfSense.
Is there a how to improve IPSEC performance on pfSense page around somewhere.
All that said, what about tinc? I ran GRE tunnels over IPSEC on the snapgears, to un-block some protocols IPSEC was 'helping' me by filtering out. GRE looks problematic on pfSense. tinc to the rescue?
I've got about a day into making it work between my home pfSense and the branch office, so I can test performance. Wondering if it's worth my while to keep banging on it…
Finally: what forum group is appropriate for tinc questions?
Thanks for any help / suggestions...