Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» IPsec» IPSEC throughput
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: IPSEC throughput  (Read 1475 times)
0 Members and 1 Guest are viewing this topic.
brcisna
Full Member
***
Offline Offline

Posts: 166


View Profile
« on: January 15, 2012, 02:08:43 pm »
Hello All,

pfSense-1.2.3-RELEASE    x 2
squid
squidGuard

We have a site to site IPSEC vpn between two school buildings. Each location has load balancing/failover (2) ISP connections of 6 mb down,and 2 mb up. This setup has worked flawless for about 3 years now. I have checked from day one,and the max I can ever do via the vpn,,,using iperf/jperf is about 500-600 kb's
When these two machines were setup,I simply used the IPSEC vpn tutorial on the pfSense wiki page as values. Neither one of these machines have Ipsec accelorator cards in them. they are both p4 vintage 1 gb ram castoff commerical 1u cased units for completeness.
I do not know any other way of 'increasing bandwidth' between the two school buildings although this is the way it has always been so this is justa  given so to speak.
I would guess changing the encryptions routines may have or not have slight benificial results.
Anyone have any comments?

Thank You,
Barry
Logged
Zeon
Jr. Member
**
Offline Offline

Posts: 50


View Profile
« Reply #1 on: January 20, 2012, 05:14:59 pm »
Hi Barry,
I would definitely recommend you try changing some of the encryption, especially changing your phase 2 to "Blowfish". Have you also tried changing fro ESP to AH to see whether you get better speeds without encryption?
Logged
marcelloc
Hero Member
*****
Offline Offline

Posts: 8395



View Profile
« Reply #2 on: January 20, 2012, 10:02:19 pm »
Check CPU usage while doing stress test. If it hits 100% CPU, you may need to change something.

Also test link the same way you did But VPN to see if you get 2mbit.
Logged
Have I helped you? Donations are always welcome! Grin

Te ajudei? Doações são sempre bem vindas! Grin
RobinGill
Newbie
*
Offline Offline

Posts: 22


View Profile
« Reply #3 on: January 21, 2012, 04:30:10 pm »
I thought accelerator cards were only really useful for units with very little cpu power such as the alix and soekris boards, and they would actually be slower than a p4?

I would have thought a p4 with any encryption type would easily handle a 2Mb connection?
Logged
cmb
Administrator
Hero Member
*****
Offline Offline

Posts: 6119


View Profile WWW
« Reply #4 on: January 24, 2012, 07:33:44 pm »
You don't need a crypto card for 2 Mb on a Geode proc much less a P4. Test the iperf both outside the VPN and inside it and compare, you'll lose some throughput inside the VPN but shouldn't be much. Generally with the description you've provided, the reason for the limit is you can't get your max bandwidth between the sites, or you have other traffic chewing up a chunk of the connection so you don't have the full bandwidth for the VPN.
Logged
pfSense Commercial Support

Paying customers receive support priority and as in depth of assistance as desired through the official commercial support channels at portal.pfsense.org. Forum users receive as much help as time permits.
marcelloc
Hero Member
*****
Offline Offline

Posts: 8395



View Profile
« Reply #5 on: January 24, 2012, 08:42:20 pm »
Check with your provider if there is no Qos applied to IPSec or any other protocol.
Logged
Have I helped you? Donations are always welcome! Grin

Te ajudei? Doações são sempre bem vindas! Grin
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Page created in 0.033 seconds with 19 queries.