IPSEC throughput

  • Hello All,

    pfSense-1.2.3-RELEASE    x 2

    We have a site to site IPSEC vpn between two school buildings. Each location has load balancing/failover (2) ISP connections of 6 mb down,and 2 mb up. This setup has worked flawless for about 3 years now. I have checked from day one,and the max I can ever do via the vpn,,,using iperf/jperf is about 500-600 kb's
    When these two machines were setup,I simply used the IPSEC vpn tutorial on the pfSense wiki page as values. Neither one of these machines have Ipsec accelorator cards in them. they are both p4 vintage 1 gb ram castoff commerical 1u cased units for completeness.
    I do not know any other way of 'increasing bandwidth' between the two school buildings although this is the way it has always been so this is justa  given so to speak.
    I would guess changing the encryptions routines may have or not have slight benificial results.
    Anyone have any comments?

    Thank You,

  • Hi Barry,
    I would definitely recommend you try changing some of the encryption, especially changing your phase 2 to "Blowfish". Have you also tried changing fro ESP to AH to see whether you get better speeds without encryption?

  • Check CPU usage while doing stress test. If it hits 100% CPU, you may need to change something.

    Also test link the same way you did But VPN to see if you get 2mbit.

  • I thought accelerator cards were only really useful for units with very little cpu power such as the alix and soekris boards, and they would actually be slower than a p4?

    I would have thought a p4 with any encryption type would easily handle a 2Mb connection?

  • You don't need a crypto card for 2 Mb on a Geode proc much less a P4. Test the iperf both outside the VPN and inside it and compare, you'll lose some throughput inside the VPN but shouldn't be much. Generally with the description you've provided, the reason for the limit is you can't get your max bandwidth between the sites, or you have other traffic chewing up a chunk of the connection so you don't have the full bandwidth for the VPN.

  • Check with your provider if there is no Qos applied to IPSec or any other protocol.

Log in to reply