Speed of IPsec tunnel negotiation

  • I'm looking for input from other pfSense users regarding the speed of IPsec tunnel negotiation (without the use of additional crypto hardware).

    Once my site-to-site VPN tunnel is established, everything is fine, and the ongoing performance of the tunnel is completely acceptable.  However, whenever the lifetime of my tunnel expires, it usually takes about 30 seconds before the tunnel is re-established and ICMP pings can successfully traverse the tunnel.

    For comparison, when I alternatively use a SonicWALL TZ190 as my local peer, the tunnel negotiation is nearly instantaneous…I may experience a ping outage of less than 3 seconds.  A SonicWALL PRO 3060 is my remote peer.

    My local pfSense is using an Intel Celeron E1500 @ 2.20 GHz with a very simple WAN/LAN configuration (and only one AES-256/SHA1/DH5 VPN tunnel).  At steady-state, the CPU load of my pfSense appliance is usually 0% and memory load is around 7%.

    I know this is 'only' a Celeron processor, and I know my SonicWALL's have optimized crypto processors, but given this seemingly feather-light load, should my overall Phase 1 and Phase 2 negotiation still be taking this long?  How long do your tunnel negotiations take?

  • It's instantaneous more or less, fraction of a second, even on far slower hardware than that. My first guess, maybe you need to disable the "prefer old SAs" option under System>Advanced.

  • Thank you cmb!  Disabling 'Prefer older IPsec SAs' (i.e., clearing the checkbox) definitely shortened my IPsec negotiation time with the remote SonicWALL PRO 3060 to near-instantaneous.  Wow.

    Under the hood, was this setting causing a lot of 'negotiation chatter' between the two peers, or does this setting simply cause pfSense to spin its own wheels and cause the negotiation delay?  I ask because the SonicWALL 'Gen3' model series do not seem to have a corresponding setting.

Log in to reply