slow transfer speeds ove ipsec

hescominsoon

@planedrop said in slow transfer speeds ove ipsec:

@hescominsoon glad it's working better. GCM is far more efficient and is the way to go if you care about speed.

As for key length, I was asking about that setting because the key length setting actually becomes the ICV when you use AES GCM (it just doesn't dynamically rename itself).

Also, if you care about security, I would recommend using DH21 instead, 14 is fine but 21 is a good amount more secure.

Glad you are seeing better performance though, that is almost certainly due to GCM being used.

i will switch it to 21 once this half terabyte transfer completes..i am way behind now trying to get the performance worth using...:)

planedrop

@hescominsoon Totally get you yeah. 14 is still considered secure but may not be considered so for much longer, so I'd say no rush on it but yeah swap to 21 when you can. You shouldn't really see much of a performance degradation with it either, if any at all.

I'd recommend 21 for both Phase 1 and 2.

hescominsoon

@planedrop said in slow transfer speeds ove ipsec:

@hescominsoon Totally get you yeah. 14 is still considered secure but may not be considered so for much longer, so I'd say no rush on it but yeah swap to 21 when you can. You shouldn't really see much of a performance degradation with it either, if any at all.

I'd recommend 21 for both Phase 1 and 2.

for giggles i paused the ftp transfers and switched back to regular aes...and performance is the same as with gcm set...make any sense?

hescominsoon

once the ransfers done i wil post a detailed list of the ipsec vpn config...

mcury

I usually follow these settings: https://docs.netgate.com/pfsense/en/latest/vpn/performance.html

Sometimes I have to use AES-CBC instead, if the other side is a mikrotik for an example. No problems with performance..

hescominsoon

@mcury said in slow transfer speeds ove ipsec:

I usually follow these settings: https://docs.netgate.com/pfsense/en/latest/vpn/performance.html

Sometimes I have to use AES-CBC instead, if the other side is a mikrotik for an example. No problems with performance..

i will check that out...i did make sure both phase 1 and phase 21 on both ends were set to aes-gcm 128...:)

planedrop

@hescominsoon When accelerated AES-GCM will always be faster, so I'm wondering if something else was wrong with the previous configuration. AES-CBC can still be quick, but it's not going to be as fast as GCM.

hescominsoon

@planedrop said in slow transfer speeds ove ipsec:

@hescominsoon When accelerated AES-GCM will always be faster, so I'm wondering if something else was wrong with the previous configuration. AES-CBC can still be quick, but it's not going to be as fast as GCM.

so i went through those items in the documentation and put those into place...we shall see how it helps...:)_

hescominsoon

@planedrop said in slow transfer speeds ove ipsec:

@hescominsoon When accelerated AES-GCM will always be faster, so I'm wondering if something else was wrong with the previous configuration. AES-CBC can still be quick, but it's not going to be as fast as GCM.

well now..those small changes have helped..now i am getting bursts to maxing out the connection...since it's a series of small transfers it's not there all the time but those have definitely helped. i will do a large file transfer over smb later..although i know it won't be nearly as fast...:)

planedrop

@hescominsoon Glad it's working better now. SMB will definitely be slower but should be far more usable.