IPSEC performance? tinc?
-
I've got IPsec tunnels up between two locations, and performance isn't what I'd hoped.
Both offices have SG2440s
Both sites have multiple ISPs (so gateway groups and fail-over)
For original setup / simplicity, IPSEC tunnels just use 1 ISP at each site
site 1 ISP1 has 20/20
site 2 ISP1 has 100/100When I test with LANSpeedTest https://totusoft.com/lanspeed I get 3Mbps
For judging SMB overhead, when I test against a local file server I get 730MbpsI have AES-ni instructions available on both ends, and am using AES-128 / AES-XCBC / DH2
I have recently moved from Snapgear SG580s (Linux based) because those processors did not have AES-ni, and so I was using 3DES., which was slow, but not this slow - in the 5Mbps over these same connections.
So, what am I doing wrong? Looks like I've somehow pessimized my IPSEC connections :-[
I've tried all sorts of combinations of encryption/hash algorithms and don't see any improvement.BTW, with the Snapgears, I had PFS on. I have it off on pfSense.
Is there a how to improve IPSEC performance on pfSense page around somewhere.
All that said, what about tinc? I ran GRE tunnels over IPSEC on the snapgears, to un-block some protocols IPSEC was 'helping' me by filtering out. GRE looks problematic on pfSense. tinc to the rescue?
I've got about a day into making it work between my home pfSense and the branch office, so I can test performance. Wondering if it's worth my while to keep banging on it…
Finally: what forum group is appropriate for tinc questions?
Thanks for any help / suggestions...