Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC pfSense to pfSense with one behind another pfSense

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 150 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      112fan
      last edited by

      Hi,

      I'm trying to set up an IPSEC connection between two pfSense firewalls with one of those firewalls behind another pfSense firewall. The connection itself is not a problem and from both sites, it's possible to ping, etc. to the other side.

      However, when I try to copy a file of let's say 200MB from a pc behind the one directly connected to the internet to a pc behind the firewall that is behind another pfSense firewall the max speed I get is around 1-2MB/s. When I copy a file of the same size from the one behind the other pfSense firewall to a pc on the side of the directly connected firewall, I get 50MB+ as copying speed.

      I've already been playing with the MTU settings on both sites to try if that fixes it, but that didn't change the speed.

      To clarify the situation, hereby a small explanation of the connection:

      pc <-> pfSense <-> internet <-> pfSense <-> pfSense <-> pc

      Between the first two pfSense firewalls there is already an IPSEC VPN active whereby the speed is almost reaching the max capacity of the fiber connection on both sites (1000/1000). The settings are almost the same on both IPSEC tunnels.

      The settings on both sites are:

      Type: both physical machines
      P1:
      IKE: V2
      P1 protocol: AES128-GCM (128 bits)
      P1 transforms: AES-XCBC
      P1 DH-Group: 16 (4096 bit)
      P2:
      Mode: tunnel
      P2 protocol: ESP
      P2 transforms: AES128-GCM (128 bits)
      NAT Traversal: both sides on Auto

      Both firewalls support AES-NI hardware crypto which includes AES-GCM and AES-NI CPU Crypto is active on both sides.

      On the first pfSense firewall on the side with two, under Firewall/NAT/1:1 there is an external IP assigned to the second firewall. Also port forward has been set up on that IP to the internal IP of the second pfSense firewall on the following ports/protocols: UDP 500/4500 and ESP.

      Does someone have an idea where is maybe goes wrong in this setup? If the information is not clear or there is more information needed, let me know :)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.