Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 4 subscribers
  • Views 73365 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow IPsec VPN

Emotive
I have two Sophos UTM Home endpoints, one at my house and another at my friends with a VPN between us. I cannot get speeds over 30Mbps on the VPN from me to my friends house but if he downloads directly from my web server he maxes my connection out at around 75Mbps.

My UTM - Dual Core Celeron 2.9Ghz 4GB
All security services enabled
75/75Mb fiber (tested to 80/80)

Friends UTM - Dual Core Celeron 2.9Ghz 4GB
All security services enabled
105/10Mb cable (Tested to 125/12)

VPN is AES128 SHA2 128 with PFS.(I have tried all different types of combinations) Both systems show about 5-9% CPU load when transferring, and I have even tried turning off the IPS/Web proxy with no difference in speed. Our previous configuration was with an EdgeRouter Lite on both ends which allowed IPsec VPN speeds to max my connection out.

The issue is on the UTMs somewhere but I cannot seem to find something that works.


This thread was automatically locked due to age.
  • 0 in reply to TKITFrank
    Hi. As IPSEC tunnels aren´t multithreaded, a single tunnel will only get as fast until it maxes out the specific CPU core on the multicore CPU where it´s running. For a 2,9 GHz (I assume consumer core2 or core i) CPU 300 MBits is a realistic value for a single tunnel.

    If your CPU´s already supports AES-NI extension, you most likely might get some extra boost by using the AES128_GCMxx encryption ciphers instead of "Normal" AES128.

    Otherwise only higher CPU MHz will help speeding up things further.

    BTW: Already followed the tweaking guide link in my signature ?

    /Sascha
  • 0 in reply to Sascha Paris
    Hi. As IPSEC tunnels aren´t multithreaded, a single tunnel will only get as fast until it maxes out the specific CPU core on the multicore CPU where it´s running. For a 2,9 GHz (I assume consumer core2 or core i) CPU 300 MBits is a realistic value for a single tunnel.

    If your CPU´s already supports AES-NI extension, you most likely might get some extra boost by using the AES128_GCMxx encryption ciphers instead of "Normal" AES128.

    Otherwise only higher CPU MHz will help speeding up things further.

    BTW: Already followed the tweaking guide link in my signature ?

    /Sascha


    Hi, yes I have read your guide. I am not new to networking, just Sophos UTM running on consumer hardware [:)]
  • 0
    I just moved my installation from virtual to physical (both on UTM 9.353).

    Virtual: Hyper-V VM, AMD Phenom II X4 2,8 GHz, 2 vCores, without AES-NI
    Physical: Zotac CI323, Intel Celeron N3150 1,6-2,08 Ghz, 4 Cores, with AES-NI

    My internet bandwidth is 75 Mbps, with virtual I could completely saturate the 75 Mbps.
    The physical gets only half of it through, it seems AES-NI is not used, despite its available (checked with www.cyberciti.biz/.../)

    IPSec Policy:
    IKE Settings: AES 128 / SHA2 256 / Group 14: MODP 2048 Lifetime: 7800 seconds
    IPsec Settings: AES 128 / SHA2 256 / Group 14: MODP 2048 Lifetime: 3600 seconds

    Any ideas why its now slower? It should be the same at least.
  • 0 in reply to EdmundSackbauer
    additionally, CPU is on both virtual and physical rather low <10%, and I am using only one thread/tunnel.
    This low CPU usage on physical is quite puzzling, as the core itself is 40% slower than the virtual core. If AES-NI would not be used I should see much more CPU usage.
  • 0 in reply to EdmundSackbauer
    Edmund, instead of "AES 128," use "AES 128 GCM" in your IPsec Settings to get AES/NI to kick in.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I'm having the same problem.  Did this ever get resolved?  

    I don't see any settings for AES 128 GCM in the policies on my Sophos so I couldn't try this suggestion.

    I have a 1GB and 2GB link.  When transferring over the public connection I can pull the full 1gig.  When using the IPSEC tunnel I get 35MB/s.   Both UTMs running 9.402-7, however this has been an ongoing issue.

    One device is an SG330 and the other end is a home built Intel(R) Core(TM) i3-3240 CPU @ 3.40GHz with SSD storage and 4GB RAM.

    Thanks,

    Mike

  • 0 in reply to MichaelMierwinski

    you are referring to GB and MB, but i think you mean Gbit/s and Mbit/s, right? capital B does mean Byte instead of bit.

    Your i3 CPU has no AES-NI hardware acceleration. But it should get more than 35 Mbit/s throughput.

  • 0 in reply to MichaelMierwinski

    I just have checked my ipsec tunnel to a friend, he has a pfsense firewall.

    I get on average around 35-40 Mbit/s, my internet provider gives me 75 Mbit.

    What I see is during transfer the rates are changing from second to second, sometimes I get nearly 75Mbit, then it goes down to 10,  then up again to 60 etc. Pings are usually around 15 ms, but every other second they go up to 350ms (without load on the tunnel).

    Very strange behaviour and nothing in the logs explaining that. The VPN tunnel is rock solid otherwise.

    Im puzzled, too.

    As I wrote earlier in this thread, I had no such problems with a virtual machine running UTM. I got full 75 Mbit via ipsec. Maybe the Realtek drivers are to blame?

  • 0 in reply to EdmundSackbauer

    Just for kicks I dumbed down the encryption.  I used these settings:

    Result is I was pulling down about 800mbit no problem.  I'll just leave it like this since my main concern is the speed of data being sent to the remote location.

Unfiltered HTML