IPSEC pfSense to pfSense with one behind another pfSense
-
Hi,
I'm trying to set up an IPSEC connection between two pfSense firewalls with one of those firewalls behind another pfSense firewall. The connection itself is not a problem and from both sites, it's possible to ping, etc. to the other side.
However, when I try to copy a file of let's say 200MB from a pc behind the one directly connected to the internet to a pc behind the firewall that is behind another pfSense firewall the max speed I get is around 1-2MB/s. When I copy a file of the same size from the one behind the other pfSense firewall to a pc on the side of the directly connected firewall, I get 50MB+ as copying speed.
I've already been playing with the MTU settings on both sites to try if that fixes it, but that didn't change the speed.
To clarify the situation, hereby a small explanation of the connection:
pc <-> pfSense <-> internet <-> pfSense <-> pfSense <-> pc
Between the first two pfSense firewalls there is already an IPSEC VPN active whereby the speed is almost reaching the max capacity of the fiber connection on both sites (1000/1000). The settings are almost the same on both IPSEC tunnels.
The settings on both sites are:
Type: both physical machines
P1:
IKE: V2
P1 protocol: AES128-GCM (128 bits)
P1 transforms: AES-XCBC
P1 DH-Group: 16 (4096 bit)
P2:
Mode: tunnel
P2 protocol: ESP
P2 transforms: AES128-GCM (128 bits)
NAT Traversal: both sides on AutoBoth firewalls support AES-NI hardware crypto which includes AES-GCM and AES-NI CPU Crypto is active on both sides.
On the first pfSense firewall on the side with two, under Firewall/NAT/1:1 there is an external IP assigned to the second firewall. Also port forward has been set up on that IP to the internal IP of the second pfSense firewall on the following ports/protocols: UDP 500/4500 and ESP.
Does someone have an idea where is maybe goes wrong in this setup? If the information is not clear or there is more information needed, let me know :)