IPsec between sites painfully slow
-
Howdy! I know the topic is a common one, but I would like suggestions for tuning my IPsec between sites for better throughput.
I have Cogent 10Gb WAN at both sites, one is west-coast and one is east-coast, so even staying on Cogent "backbone" only, there are 11 hops and 70ms. latency. I have also verified ping -d -s 1472 <IP ADDR> between sites
My pfSense(s) are configured with 4 vCPUs (running as a VMware VM) and rarely shows more than 10% CPU usage at the maximum throughput I am able to obtain through the IPsec between sites.
My Phase 1:
IKE v2, Mutual PSK, AES256-GCM-128bits-SHA256-DH14My Phase 2:
Tunnel, ESP, AES256-GCM-DH14Any suggestions?
THX,
-John -
Install the iperf package at both ends. Use that to determine what your baseline end to end speed really is. Now run it over your ipsec tunnel. If there is a substantial difference then that needs looking into.