Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec is very slow between two pfsense routers

    IPsec
    4
    15
    907
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevingoos last edited by

      I did a setup for an IPSec between myself and my parents. Both for backup and for usage off services on both sides. But my ipsec tunnel is very slow and some services like video streaming are impossible over the tunnel.

      Now I read that most people have more performance, so it looks like I did something wrong.

      So the setup is as followed:

      • My parents have a Netgate 2100, and a internet connection with 300Mbit down and 30Mbit up
      • I have a Netgate 7100, and a internet connection with 400Mbit down and 40Mbit up

      Here are some iperf graphs with the speed I get from the VPN:
      This is from my parents to me:
      ParentsToMe.png
      And here the stats from my side to my parents:
      FromMyToParents.png

      Configuration on my parents side: (My configuration is almost the same, I can drop it if requested)
      2e7d00a4-bebf-43dc-a54f-6aa6ebc38b32-image.png
      upload2.png
      52a32475-1c56-49a7-b45a-cf82cdf5497b-image.png
      c3ede304-f396-43e1-9a6c-aa2af8a536ac-image.png

      So is there somebody who can help me with the performance of my ipsec vpn?

      K 1 Reply Last reply Reply Quote 0
      • K
        keyser @kevingoos last edited by keyser

        @kevingoos In principle it’s not your VPN settings. Those are technically fine.

        However: You will run into an issue with a stalling IPsec tunnel with those settings. There is an issue using AES-CGM right now - at least om ARM based boxes that stalls the tunnels. I have had precursors of VERY low throughput in GCM based tunnels before they stalled completely. So there is a small chance that you are hitting this. Try changing the Phase 1 + 2 Ciphers to AES-CBC (Listed as AES in the UI) and see if that helps.

        If not, you are likely seeing a packet fragmentation penalty and need to limit your MTU on the VPN tunnel.

        https://www.reddit.com/r/PFSENSE/comments/qzpm7k/having_weird_ipsec_issues_try_mss_clamping/

        K 1 Reply Last reply Reply Quote 0
        • K
          kevingoos @keyser last edited by

          @keyser So I changed the P1 AES(256)
          And also changed my encryption on my 7100 to QAT:
          d66dcebe-be86-410d-8c2c-f88590cdb33b-image.png

          Now I get around 500 KB/s copying a file which is already a bit better but still not great.

          I will try lowering the encryption to 128 and see if that makes it acceptable

          K 1 Reply Last reply Reply Quote 0
          • K
            keyser @kevingoos last edited by

            @kevingoos said in IPSec is very slow between two pfsense routers:

            @keyser So I changed the P1 AES(256)
            And also changed my encryption on my 7100 to QAT:
            d66dcebe-be86-410d-8c2c-f88590cdb33b-image.png

            Now I get around 500 KB/s copying a file which is already a bit better but still not great.

            I will try lowering the encryption to 128 and see if that makes it acceptable

            remember to change the encryption on Phase 2 - that is where all that actual data gets encrypted - and thus where a performance difference really shows.

            K 1 Reply Last reply Reply Quote 0
            • K
              kevingoos @keyser last edited by

              @keyser Ok should I also put Phase 2 on AES-CBC?

              K 2 Replies Last reply Reply Quote 0
              • K
                keyser @kevingoos last edited by

                @kevingoos Yes - i see the “2” i thought i wrote in the initial post after the “+” did in fact not register….

                1 Reply Last reply Reply Quote 0
                • K
                  keyser @kevingoos last edited by keyser

                  @kevingoos One other thing: When you change the phase 2 ciphers til CBC, you need to set SHA-256 as the Auth mechanism. It’s only when using GCM that you do not need a auth mechanism in P2.
                  You should set your phase 1 transform to sha-256 while you are at it as well :-)

                  Edit: in the UI it’s the HASH selection field in P1 and P2 i’m reffering to.

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    kevingoos @keyser last edited by kevingoos

                    @keyser Ok now we have 585 KB/s copying a file through SMB. Not yet great but again a bit better...

                    This is what I have now on the 7100 side
                    a30f214a-9dc0-4b26-b601-5001021117d0-image.png

                    And this on the 2100 side
                    604b9c77-7c6d-4b4c-9684-0ab0728a9052-image.png

                    K 1 Reply Last reply Reply Quote 0
                    • K
                      keyser @kevingoos last edited by

                      @kevingoos Yeah, those are solid settings to avoid the stalling IPSec tunnel. But since your speed is far from the “close to 30mbit” possible in your setup, we have to look elsewhere.

                      1.st off: SMB is crap over a line with latency - which is the case here.

                      So before we continue suspecting the VPN, please do a couple of tests:

                      1: install the iperf package on both your pfsenses.
                      2: Open iperf port 5201 TCP/UDP on “serverside” pfsense’ WAN interface from the public IP on your other pfsense.
                      3: Run some iperf tests from client pfsense to server pfsense.

                      This will tell us what we can actually expect between the two boxes when no VPN is involved.

                      After that run iperf on your SMB server and client and run the test againg between those two. Now we have an idea if the VPN severely limits throughput compared to RAW (non-VPN).

                      My guess is SMB is the culprit here…..

                      1 Reply Last reply Reply Quote 1
                      • Cool_Corona
                        Cool_Corona last edited by

                        SMB is useless over VPN. Incredibly slow....

                        Cannot even stream FullHD video without lagging.

                        K 1 Reply Last reply Reply Quote 0
                        • N
                          NOCling last edited by

                          User Intel Quick Assist on 71er Site and SafeXcel on the ARM Site.
                          User a good DH Group like 19, 20, 21.
                          Use wan optimized Stuff to push Data over VPN, not SMB, it designed is lan ony.

                          I run my NAS Backups over the Tunnel, with the Upload limiting around about 50MBit/s.
                          This Speed is no problem for the 21er, System Load 8-9%, Interrupt 18%.

                          And yes, if you use AES GCM with SafeXcel on ARM, you got stuck after som Time with the entire IPsec Stack.

                          Netgate 6100 & Netgate 2100

                          1 Reply Last reply Reply Quote 0
                          • K
                            kevingoos @Cool_Corona last edited by

                            @cool_corona Yes I tested with SMB, but also Plex cannot stream any video over the IPSEC tunnel without buffering every 2 min

                            Cool_Corona K 2 Replies Last reply Reply Quote 0
                            • Cool_Corona
                              Cool_Corona @kevingoos last edited by

                              @kevingoos And the funny part is, hardware doesnt matter. No matter how much power the FW has, it doesnt matter.

                              Its much better on a 2.2.6 version of Pfsense. Then it works quickly and no issues.

                              Food for thought.

                              1 Reply Last reply Reply Quote 0
                              • K
                                keyser @kevingoos last edited by

                                @kevingoos Have you tried the iPerf tests I suggested?
                                Until you do, we cannot really say what is what - we need to see if the tunnel can carry the “up to 30mbit” possible in your scenario.

                                After that test - if no throughput is possible with iPerf either, look into limiting the fragmentation size as i suggested by using MSS Clamping on the tunnel. I don’t think that is you issue though, so…

                                My guess is your tunnel is fine when you do a 3 or 4 streams iPerf test (will pass about 30 mbit).
                                The issue is very likely the asyncronous speeds in both ends combined with the latency introduced. That’s a real throughput killer. It can very quickly completely kill single stream interactive protocols like SMB.

                                K 1 Reply Last reply Reply Quote 0
                                • K
                                  kevingoos @keyser last edited by kevingoos

                                  @keyser Sorry currently I broke the VPN by updating 7100 to the latest version. But the update for the 2100 is not yet ready...
                                  I will get back the moment I get this updated.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post