Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Settings and Cryptographic Hardware

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 433 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Spyderturbo007
      last edited by

      I have a IPSec VPN setup between two locations using two Netgate 6100 devices. I can copy large files across the VPN at around 10.4MB/s. Both sites are running a 500Mbps connection.

      I'm trying to squeeze as much out of the VPN as possible. I realize that SMB traffic is "chatty" and not the fastest thing over higher latency connections, but a ping over the VPN is around 5ms. The locations are very close.

      I was hoping someone could help me make sense of the IPsec-MB, AES-NI and QAT along with how that interacts with my tunnel settings. Using the pinned topic of "Scaling IPsec" I settled on these settings:

      Phase 1:
      IKEv2
      AES128-GCM
      AES-XCBC
      DH-Group 14

      Phase 2:
      Protocol ESP
      Transforms: AES128-GCM (128 bits)
      No Hash Algorithm
      PFS Key Group - 14

      Thanks so much for the help!

      Settings Page.PNG

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @Spyderturbo007
        last edited by

        @Spyderturbo007 Are both sites 500Mbps symmetrical? If so I find 10.4MB to be really bad.
        For context, I have a 6100 at one location with 500/500. To my VPC within Oracle Cloud Infrastructure, I can saturate my Internet connection easily. This was all tested using iperf with 100 simultaneous connections. The protocol of choice here is IPsec.
        Then I have a wireguard site2site to a location that has 200/10Mbps. I can push over 180Mbps through my 6100 and out my WAN. This is the same iperf test as before.
        All that being said, one technique i would adjust is to change to IPsec-NAT-T. I have been a victim of an ISP throttling IPsec most likely when they port 500 flowing across their links. A change to UDP 4500 made a huge difference.

        As you already mentioned, SMB isnt the best protocol to test file transfers. Perform an iperf test is my advice.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        S 1 Reply Last reply Reply Quote 0
        • S
          Spyderturbo007 @michmoor
          last edited by

          @michmoor Thanks so much for the response. After further digging, it turns out that I was just being dumb and not paying attention to what I was doing. I was jumping from adapter to adapter, connection to connection running around the building with my laptop. I didn't realize that the dock I had plugged into left me wireless.

          Once I figured out I was chasing my tail and wired myself, I was able to all but max out the connection at 35MB/s. I also looked and one site is 500/500 and the other is 300/300., so the 35MB/s makes complete sense.

          With that said, I'm going to bump up the second site to 500/500 on Monday. Any suggestions on how to pair the IPsec settings with the settings for the cryptographic hardware?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.