Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 4 subscribers
  • Views 73375 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow IPsec VPN

Emotive
I have two Sophos UTM Home endpoints, one at my house and another at my friends with a VPN between us. I cannot get speeds over 30Mbps on the VPN from me to my friends house but if he downloads directly from my web server he maxes my connection out at around 75Mbps.

My UTM - Dual Core Celeron 2.9Ghz 4GB
All security services enabled
75/75Mb fiber (tested to 80/80)

Friends UTM - Dual Core Celeron 2.9Ghz 4GB
All security services enabled
105/10Mb cable (Tested to 125/12)

VPN is AES128 SHA2 128 with PFS.(I have tried all different types of combinations) Both systems show about 5-9% CPU load when transferring, and I have even tried turning off the IPS/Web proxy with no difference in speed. Our previous configuration was with an EdgeRouter Lite on both ends which allowed IPsec VPN speeds to max my connection out.

The issue is on the UTMs somewhere but I cannot seem to find something that works.


This thread was automatically locked due to age.
Parents
  • 0
    I just moved my installation from virtual to physical (both on UTM 9.353).

    Virtual: Hyper-V VM, AMD Phenom II X4 2,8 GHz, 2 vCores, without AES-NI
    Physical: Zotac CI323, Intel Celeron N3150 1,6-2,08 Ghz, 4 Cores, with AES-NI

    My internet bandwidth is 75 Mbps, with virtual I could completely saturate the 75 Mbps.
    The physical gets only half of it through, it seems AES-NI is not used, despite its available (checked with www.cyberciti.biz/.../)

    IPSec Policy:
    IKE Settings: AES 128 / SHA2 256 / Group 14: MODP 2048 Lifetime: 7800 seconds
    IPsec Settings: AES 128 / SHA2 256 / Group 14: MODP 2048 Lifetime: 3600 seconds

    Any ideas why its now slower? It should be the same at least.
  • 0 in reply to EdmundSackbauer
    Edmund, instead of "AES 128," use "AES 128 GCM" in your IPsec Settings to get AES/NI to kick in.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I'm having the same problem.  Did this ever get resolved?  

    I don't see any settings for AES 128 GCM in the policies on my Sophos so I couldn't try this suggestion.

    I have a 1GB and 2GB link.  When transferring over the public connection I can pull the full 1gig.  When using the IPSEC tunnel I get 35MB/s.   Both UTMs running 9.402-7, however this has been an ongoing issue.

    One device is an SG330 and the other end is a home built Intel(R) Core(TM) i3-3240 CPU @ 3.40GHz with SSD storage and 4GB RAM.

    Thanks,

    Mike

Reply
  • 0 in reply to BAlfson

    I'm having the same problem.  Did this ever get resolved?  

    I don't see any settings for AES 128 GCM in the policies on my Sophos so I couldn't try this suggestion.

    I have a 1GB and 2GB link.  When transferring over the public connection I can pull the full 1gig.  When using the IPSEC tunnel I get 35MB/s.   Both UTMs running 9.402-7, however this has been an ongoing issue.

    One device is an SG330 and the other end is a home built Intel(R) Core(TM) i3-3240 CPU @ 3.40GHz with SSD storage and 4GB RAM.

    Thanks,

    Mike

Children
Unfiltered HTML