Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 4 subscribers
  • Views 73364 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow IPsec VPN

Emotive
I have two Sophos UTM Home endpoints, one at my house and another at my friends with a VPN between us. I cannot get speeds over 30Mbps on the VPN from me to my friends house but if he downloads directly from my web server he maxes my connection out at around 75Mbps.

My UTM - Dual Core Celeron 2.9Ghz 4GB
All security services enabled
75/75Mb fiber (tested to 80/80)

Friends UTM - Dual Core Celeron 2.9Ghz 4GB
All security services enabled
105/10Mb cable (Tested to 125/12)

VPN is AES128 SHA2 128 with PFS.(I have tried all different types of combinations) Both systems show about 5-9% CPU load when transferring, and I have even tried turning off the IPS/Web proxy with no difference in speed. Our previous configuration was with an EdgeRouter Lite on both ends which allowed IPsec VPN speeds to max my connection out.

The issue is on the UTMs somewhere but I cannot seem to find something that works.


This thread was automatically locked due to age.
Parents
  • 0
    I just moved my installation from virtual to physical (both on UTM 9.353).

    Virtual: Hyper-V VM, AMD Phenom II X4 2,8 GHz, 2 vCores, without AES-NI
    Physical: Zotac CI323, Intel Celeron N3150 1,6-2,08 Ghz, 4 Cores, with AES-NI

    My internet bandwidth is 75 Mbps, with virtual I could completely saturate the 75 Mbps.
    The physical gets only half of it through, it seems AES-NI is not used, despite its available (checked with www.cyberciti.biz/.../)

    IPSec Policy:
    IKE Settings: AES 128 / SHA2 256 / Group 14: MODP 2048 Lifetime: 7800 seconds
    IPsec Settings: AES 128 / SHA2 256 / Group 14: MODP 2048 Lifetime: 3600 seconds

    Any ideas why its now slower? It should be the same at least.
  • 0 in reply to EdmundSackbauer
    Edmund, instead of "AES 128," use "AES 128 GCM" in your IPsec Settings to get AES/NI to kick in.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I'm having the same problem.  Did this ever get resolved?  

    I don't see any settings for AES 128 GCM in the policies on my Sophos so I couldn't try this suggestion.

    I have a 1GB and 2GB link.  When transferring over the public connection I can pull the full 1gig.  When using the IPSEC tunnel I get 35MB/s.   Both UTMs running 9.402-7, however this has been an ongoing issue.

    One device is an SG330 and the other end is a home built Intel(R) Core(TM) i3-3240 CPU @ 3.40GHz with SSD storage and 4GB RAM.

    Thanks,

    Mike

  • 0 in reply to MichaelMierwinski

    you are referring to GB and MB, but i think you mean Gbit/s and Mbit/s, right? capital B does mean Byte instead of bit.

    Your i3 CPU has no AES-NI hardware acceleration. But it should get more than 35 Mbit/s throughput.

  • 0 in reply to MichaelMierwinski

    I just have checked my ipsec tunnel to a friend, he has a pfsense firewall.

    I get on average around 35-40 Mbit/s, my internet provider gives me 75 Mbit.

    What I see is during transfer the rates are changing from second to second, sometimes I get nearly 75Mbit, then it goes down to 10,  then up again to 60 etc. Pings are usually around 15 ms, but every other second they go up to 350ms (without load on the tunnel).

    Very strange behaviour and nothing in the logs explaining that. The VPN tunnel is rock solid otherwise.

    Im puzzled, too.

    As I wrote earlier in this thread, I had no such problems with a virtual machine running UTM. I got full 75 Mbit via ipsec. Maybe the Realtek drivers are to blame?

  • 0 in reply to EdmundSackbauer

    Just for kicks I dumbed down the encryption.  I used these settings:

    Result is I was pulling down about 800mbit no problem.  I'll just leave it like this since my main concern is the speed of data being sent to the remote location.

  • 0 in reply to MichaelMierwinski

    Hi Michael and everyone I am also having this slowness issue on IPSEC.

    Any implication on security side on your settings Michael?

     

    here is my current settings.

    Please can you recommend the best settings?

     

     

  • 0 in reply to Macky

    Hi and welcome to the UTM Community!

    Try using the "AES 128 PFS" Policy.  How much faster is that for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Macky

    Hi and welcome to the UTM Community!

    Try using the "AES 128 PFS" Policy.  How much faster is that for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML