Site-to-Site IPSEC Extremely Slow

I worked with this some more today and found by turning off PFS it seemed to resolve the slow speed issues for me.  I went from about 2Mbit to the full bandwidth of my connection which is 30Mbit.  I would be interested to know if someone else is having this issue if it resolves the issue for them.

I am using:

Phase 1:
AES256
DH GRP 5
Lifetime 7800
pre-shared key

Phase 2:
AES128
No DH GRP
Lifetime 3600

Dead-peer detection is enabled to re-initiate
Re-Keying is also enabled, mode is main.

What exactly is PFS and how do you turn it off?

Is there any risk in having this off?

We are going to be moving from using IPSEC over to RED site-to-site interfaces between all of our XG firewalls, but I have had some issue with that too.

See here for more Informations about PFS: https://de.wikipedia.org/wiki/Perfect_Forward_Secrecy 

XG 125 does support IPSec VPN Acceleration via QuickAssist - XG 105 does not. Maybe the Reason is related somewhere there? You can proof, if QuickAssist is enabled with the following command: 

console> system hardware_acceleration status



If it's enabled, I would disable it so both XG Devices are using Software to bring Up VPN Tunnel.

I did find this post about turning off PFS in your IPSEC policy.  I am going to try this tonight:

https://community.sophos.com/products/xg-firewall/f/vpn/75356/how-to-disable-pfs#pi2132219853filter=all&pi2132219853scroll=false

I tried that command, but my XG430 does not know it...

Hi John,

This command will not work on anything other than a Software, Virtual or XG125 appliance to my knowledge as the other appliances do not have the hardware_acceleration feature.  I think you are best to pursue the RED tunnels, I still have had my fair share of issues with the IPsec VPNs on XG appliances and have had better luck / performance with SSL S2S or RED S2S tunnels.  Disabling PFS is as simple as changing your Phase 2 DH Group to None, I do believe with removing PFS some security will be lost.

Thanks,
Hugh

Hi John,

This command will not work on anything other than a Software, Virtual or XG125 appliance to my knowledge as the other appliances do not have the hardware_acceleration feature.  I think you are best to pursue the RED tunnels, I still have had my fair share of issues with the IPsec VPNs on XG appliances and have had better luck / performance with SSL S2S or RED S2S tunnels.  Disabling PFS is as simple as changing your Phase 2 DH Group to None, I do believe with removing PFS some security will be lost.

Thanks,
Hugh

The Command is supported on XG 125, XG 135 and XG 750. All other Appliances do not support this command, because it's related on the type of CPU which is built in whether this command is supported or not.

I see the case ID 6009528, is closed in October. I believe you have another case open with support. Can you DM me the case# so that I can monitor it and push my team towards it.

Thanks

Hard to believe that disabling PFS "fixes" this issue.
PFS is only used on rekeying, which happens only once per hour , or even less frequent