Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC throughput

    Scheduled Pinned Locked Moved IPsec
    6 Posts 5 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brcisna
      last edited by

      Hello All,

      pfSense-1.2.3-RELEASE    x 2
      squid
      squidGuard

      We have a site to site IPSEC vpn between two school buildings. Each location has load balancing/failover (2) ISP connections of 6 mb down,and 2 mb up. This setup has worked flawless for about 3 years now. I have checked from day one,and the max I can ever do via the vpn,,,using iperf/jperf is about 500-600 kb's
      When these two machines were setup,I simply used the IPSEC vpn tutorial on the pfSense wiki page as values. Neither one of these machines have Ipsec accelorator cards in them. they are both p4 vintage 1 gb ram castoff commerical 1u cased units for completeness.
      I do not know any other way of 'increasing bandwidth' between the two school buildings although this is the way it has always been so this is justa  given so to speak.
      I would guess changing the encryptions routines may have or not have slight benificial results.
      Anyone have any comments?

      Thank You,
      Barry

      1 Reply Last reply Reply Quote 0
      • Z
        Zeon
        last edited by

        Hi Barry,
        I would definitely recommend you try changing some of the encryption, especially changing your phase 2 to "Blowfish". Have you also tried changing fro ESP to AH to see whether you get better speeds without encryption?

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          Check CPU usage while doing stress test. If it hits 100% CPU, you may need to change something.

          Also test link the same way you did But VPN to see if you get 2mbit.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • R
            RobinGill
            last edited by

            I thought accelerator cards were only really useful for units with very little cpu power such as the alix and soekris boards, and they would actually be slower than a p4?

            I would have thought a p4 with any encryption type would easily handle a 2Mb connection?

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              You don't need a crypto card for 2 Mb on a Geode proc much less a P4. Test the iperf both outside the VPN and inside it and compare, you'll lose some throughput inside the VPN but shouldn't be much. Generally with the description you've provided, the reason for the limit is you can't get your max bandwidth between the sites, or you have other traffic chewing up a chunk of the connection so you don't have the full bandwidth for the VPN.

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                Check with your provider if there is no Qos applied to IPSec or any other protocol.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.