1GB fiver link over IPSec



  • I have two site with 1gb fiber links. Tunnels are up and passing traffic. However I am only getting around 5.5-6.5 MB/sec when transfering over the links. Is that is a limitation in pfsense.

    I called the fiber vendor and everything is set correctly.



  • @jswope:

    I have two site with 1gb fiber links. Tunnels are up and passing traffic. However I am only getting around 5.5-6.5 MB/sec when transfering over the links. Is that is a limitation in pfsense.

    I called the fiber vendor and everything is set correctly.

    There no hardcoded limitation anywhere, except hardware limitations. You have to provide with more information before anyone can guide you. In theory you can see speeds around 800/900 mbit/s for a 1gbit/s when using AES-NI with AES-128-GCM plus some good CPU cores.



  • As laped said, we need to know your hardware specs.



  • Intel(R) Xeon(R) CPU X3450 @ 2.67GHz
    8 CPUs: 1 package(s) x 4 core(s) x 2 SMT threads

    4GB ram.

    CPU usage goes to a max of 8% when i transfer a file.

    How can i route traffic from site a to site b

    Site A LAN  192.168.0.0 / 24  Site B LAN  10.33.217.0 /24

    Gateways are 192.168.0.253 and 10.33.217.253.

    Direct link for fiber is  172.16.1.252 /24 and 172.16.1.253 /24
    Do i just create a gateway from interface of the site to site (172.16.1.252 to othet side 172.16.1.253 or do each site need to be own differencrt subnets



  • SITE A

    WAN 1.1.1.1
    LAN                 192.168.0.253
    DATA                 10.10.10.253
    VOICE 10.10.20.253
    WIRELESS 10.10.30.253
    PRINTERS 10.10.40.253
    GUESTWIRELESS 10.10.50.253
    SITETOSITE 172.16.1.253
    SITE B

    WAN 71.14.226.66
    LAN 10.33.217.253
    DATA 10.50.10.253
    VOICE `10.50.20.253
    WIRELESS 10.50.30.253
    PRINTERS 10.50.40.253
    GUESTWIRELESS 10.50.50.253
    SITETOSITE 172.16.1.252



  • @jswope:

    SITE A

    WAN 1.1.1.1
    LAN                 192.168.0.253
    DATA                 10.10.10.253
    VOICE 10.10.20.253
    WIRELESS 10.10.30.253
    PRINTERS 10.10.40.253
    GUESTWIRELESS 10.10.50.253
    SITETOSITE 172.16.1.253
    SITE B

    WAN 71.14.226.66
    LAN 10.33.217.253
    DATA 10.50.10.253
    VOICE `10.50.20.253
    WIRELESS 10.50.30.253
    PRINTERS 10.50.40.253
    GUESTWIRELESS 10.50.50.253
    SITETOSITE 172.16.1.252

    We dont need all your IP information it doens't tell anything about how IPsec has been configured..

    What are you using for authentication and encryption for IKE_SA, IPSEC_SA etc….

    Have you enabled AES-NI.

    What are you using to test transfer speed?.. Dragging af folder in windows tells nothing. Use iperf for testing purposes.

    Use wireshark to test if pakets gets fragmented. If they are reduce the MTU size for IPsec packets.



  • Sorry the the missing info

    Phase One Auth is

    Authentication Method Mutal PSK
    Negotiagation Mode Main

    Phase One Algorithms

    Encryption Algorithm AES 256 bits

    Hash Algorithm SHA256

    DH Key 2 (1024 bit)

    Phase 2

    Phase 2 Proposal (SA/Key Exchange)

    Protocol ESP

    Encryption Algorithms AES 256bits

    Has is SHA256

    Have you enabled AES-NI. –------------  No i have not. Do you have to have a crypto accelerator

    What are you using to test transfer speed?. I am transfering a 2GB file accross the Tunnel.

    I will run wireshark and posts the results



  • @jswope:

    Sorry the the missing info

    Phase One Auth is

    Authentication Method Mutal PSK
    Negotiagation Mode Main

    Phase One Algorithms

    Encryption Algorithm AES 256 bits

    Hash Algorithm SHA256

    DH Key 2 (1024 bit)

    Phase 2

    Phase 2 Proposal (SA/Key Exchange)

    Protocol ESP

    Encryption Algorithms AES 256bits

    Has is SHA256

    Have you enabled AES-NI. –------------  No i have not. Do you have to have a crypto accelerator

    What are you using to test transfer speed?. I am transfering a 2GB file accross the Tunnel.

    I will run wireshark and posts the results

    Okay can see that you dont have AES-NI available  on your CPU instruction set, but you should be able to some around 200 mbit/s without. Maybe you can see something wierd  testing with iperf and with wireshark. Your encryption seems fine except DH 2 is weak and should be changed to a least 2048. Maybe changing from IKEv1 to IKEv2 should give better results too.



  • I dont seee where to change from IKEv1 to IKEv2.



  • Never mind I am blind haha ;D


Log in to reply