IPSec/OVPN slow using NAT



  • I struggle to get some performance from a VPN between two pfsense 2.2.5, one being a SG-4860 (pfsense B), the other a VM (pfsense A) on 1 vCore E5-26xx at a hoster. The VM has only one NIC and its main purpose is to be a VPN gateway providing me with a static IP at home (server B, 10.1.0.80).

    I get about line speed in an IPSec VPN between the two pfsenses if I test from pfsense A, but roughly nothing if I connect from outside (client A) and pfsense A has to do some NAT first. I also tried OpenVPN which was much slower, but with same pattern. Any idea why the speed is so much lower for client A?

    I test the performance with iperf -P 3 and get the following results:

    no VPN:

    client A --> pfsense A                     400 MBit/s
                 pfsense A --> pfsense B       200 MBit/s  (~ line speed)
                 pfsense A <-- pfsense B        25 MBit/s  (~ line speed)  
    
    

    with IPSec:

                 pfsense A      --> pfsense B --> server B   180 MBit/s
    client A --> pfsense A (NAT)--> pfsense B --> server B     3 MBit/s  ??
    
    

    with OpenVPN

                 pfsense A      --> pfsense B --> server B    55 MBit/s
    client A --> pfsense A (NAT)--> pfsense B --> server B     2 MBit/s  ??
    
    

    IPSec pfsense A
    P1: AES-128, SHA1
    P2: tunnel, 0.0.0.0/0, 10.1.0.80, ESP, AES128-GCM (auto), SHA1

    IPSec pfsense B
    P1: AES-128, SHA1
    P2: tunnel, 10.1.0.80, 0.0.0.0/0, ESP, AES128-GCM (auto), SHA1

    OpenVPN pfsense A (server)
    AES-128, SHA1
    IPv4 Local Network    none
    IPv4 Remote Network 10.1.0.0/24

    OpenVPN pfsense B (client)
    AES-128, SHA1
    IPv4 Local Network    none
    IPv4 Remote Network  none (policy routing)



  • SOLVED: had nothing to do with the VPN configs,

    but one side pfsense is on KVM and was still offloading some checksum calculations to virtual hardware. Disabling all offloading as even mentioned in the pinned pfsense Xen/KVM FAQ fixed it. Stupid me, not my first pfsense on KVM  :-[


Log in to reply