Netgate SG-1000 microFirewall

Author Topic: IPSEC performance? tinc?  (Read 95 times)

0 Members and 1 Guest are viewing this topic.

Offline bobkoure

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
IPSEC performance? tinc?
« on: March 02, 2018, 10:27:24 am »
I've got IPsec tunnels up between two locations, and performance isn't what I'd hoped.
Both offices have SG2440s
Both sites have multiple ISPs (so gateway groups and fail-over)
For original setup / simplicity, IPSEC tunnels just use 1 ISP at each site
site 1 ISP1 has 20/20
site 2 ISP1 has 100/100

When I test with LANSpeedTest I get 3Mbps
For judging SMB overhead, when I test against a local file server I get 730Mbps

I have AES-ni instructions available on both ends, and am using AES-128 / AES-XCBC / DH2

I have recently moved from Snapgear SG580s (Linux based) because those processors did not have AES-ni, and so I was using 3DES., which was slow, but not this slow - in the 5Mbps over these same connections.

So, what am I doing wrong? Looks like I've somehow pessimized my IPSEC connections  :-[
I've tried all sorts of combinations of encryption/hash algorithms and don't see any improvement.

BTW, with the Snapgears, I had PFS on. I have it off on pfSense.

Is there a how to improve IPSEC performance on pfSense page around somewhere.

All that said, what about tinc?  I ran GRE tunnels over IPSEC on the snapgears, to un-block some protocols IPSEC was 'helping' me by filtering out. GRE looks problematic on pfSense. tinc to the rescue?

I've got about a day into making it work between my home pfSense and the branch office, so I can test performance. Wondering if it's worth my while to keep banging on it...

Finally: what forum group is appropriate for tinc questions?

Thanks for any help / suggestions...