IPSEC performance? tinc?



  • I've got IPsec tunnels up between two locations, and performance isn't what I'd hoped.
    Both offices have SG2440s
    Both sites have multiple ISPs (so gateway groups and fail-over)
    For original setup / simplicity, IPSEC tunnels just use 1 ISP at each site
    site 1 ISP1 has 20/20
    site 2 ISP1 has 100/100

    When I test with LANSpeedTest https://totusoft.com/lanspeed I get 3Mbps
    For judging SMB overhead, when I test against a local file server I get 730Mbps

    I have AES-ni instructions available on both ends, and am using AES-128 / AES-XCBC / DH2

    I have recently moved from Snapgear SG580s (Linux based) because those processors did not have AES-ni, and so I was using 3DES., which was slow, but not this slow - in the 5Mbps over these same connections.

    So, what am I doing wrong? Looks like I've somehow pessimized my IPSEC connections  :-[
    I've tried all sorts of combinations of encryption/hash algorithms and don't see any improvement.

    BTW, with the Snapgears, I had PFS on. I have it off on pfSense.

    Is there a how to improve IPSEC performance on pfSense page around somewhere.

    All that said, what about tinc?  I ran GRE tunnels over IPSEC on the snapgears, to un-block some protocols IPSEC was 'helping' me by filtering out. GRE looks problematic on pfSense. tinc to the rescue?

    I've got about a day into making it work between my home pfSense and the branch office, so I can test performance. Wondering if it's worth my while to keep banging on it…

    Finally: what forum group is appropriate for tinc questions?

    Thanks for any help / suggestions...


Log in to reply