OpenVPN vs IPSec



  • Is it me or is anyone else out there seeing that OpenVPN is much faster than IPsec? I know that I haven't given all the details but I was using the default:

    3DES
    SHA1

    In my phase 1 configuration and I used the defaults in my phase 2 as well but the tunnel was very unstable for me especially after I upgraded to Pfsense 2.03. I have a AMD X2 2.13Ghz with 4GB of DDR2 RAM. The other Pfsense box is a P4 2Ghz with 2GB of RAM. Both internet connections are 100Mbps down 20 Mbps up. Both are on the Comcast network about 40 Miles apart. Through the IPSEC tunnel I was getting roughly 400Kbps (yes that's a K). I tried changing some of the settings that I had read in the forums here but nothing worked, some things made it even slower. This has been driving me crazy because I know it used to be faster, it's got me wondering if Comcast is throttling IPsec traffic.

    Well I finally gave up and tried OpenVPN, I just upgraded my home box to 2.1 Beta-1 5.17 and I upgraded the one at work as well. My box at home is 64 bit the box at work is 32 bit. Wow! what a big difference. With OpenVPN I'm getting about 15Mbps throughput from site to site which is what I would expect. I'm totally happy with the results but my question is why? I have read around and it seems that a lot of people are having throughput issues with IPsec. I have tried changing my MTU size (I forget what Pfsense calls it). I'm just curious and yes I did try IPsec once both routers were upgraded with the same results. I'm content now, I'm just going to see how stable it is now. I would love to hear anyone's thoughts.

    P.S.
    I manually added rules to allow udp port 1194 to ingress my firewall, then I disabled it to see if the traffic would stop and it didn't. Does Pfsense auto generate rules when you enable OpenVPN?



  • Just made a change to Openvpn, I added compression to the tunnel and traffic went down until I enable the rule to allow udp 1194 on the server. I'm thinking that since I generated that rule and a connection was already established when I disabled the rule it didn't terminate any existing udp 1194 connections. Additionally It appears that you only need to open openvpn ports on the server, which makes sense because it's your server accepting unsolicited openvpn traffic. I was working late last night and was adding rules for the clients as well as the server.

    As a side note when adding a rule is there anyway that any existing connections using that port can be terminated, maybe something like a button saying terminate existing connections using specified port?



  • Here is one answer to my question, to reset all your states go to Diagnostics->States->reset. This is a broad tools though. I would like to reset states that correspond to a specific rule established.


Log in to reply