pfSense Gold Subscription

Author Topic: IPSEC throughput  (Read 2027 times)

0 Members and 1 Guest are viewing this topic.

Offline brcisna

  • Full Member
  • ***
  • Posts: 189
  • Karma: +0/-0
    • View Profile
IPSEC throughput
« on: January 15, 2012, 01:08:43 pm »
Hello All,

pfSense-1.2.3-RELEASE    x 2
squid
squidGuard

We have a site to site IPSEC vpn between two school buildings. Each location has load balancing/failover (2) ISP connections of 6 mb down,and 2 mb up. This setup has worked flawless for about 3 years now. I have checked from day one,and the max I can ever do via the vpn,,,using iperf/jperf is about 500-600 kb's
When these two machines were setup,I simply used the IPSEC vpn tutorial on the pfSense wiki page as values. Neither one of these machines have Ipsec accelorator cards in them. they are both p4 vintage 1 gb ram castoff commerical 1u cased units for completeness.
I do not know any other way of 'increasing bandwidth' between the two school buildings although this is the way it has always been so this is justa  given so to speak.
I would guess changing the encryptions routines may have or not have slight benificial results.
Anyone have any comments?

Thank You,
Barry

Offline Zeon

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +0/-0
    • View Profile
Re: IPSEC throughput
« Reply #1 on: January 20, 2012, 04:14:59 pm »
Hi Barry,
I would definitely recommend you try changing some of the encryption, especially changing your phase 2 to "Blowfish". Have you also tried changing fro ESP to AH to see whether you get better speeds without encryption?

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9995
  • Karma: +3/-0
    • View Profile
Re: IPSEC throughput
« Reply #2 on: January 20, 2012, 09:02:19 pm »
Check CPU usage while doing stress test. If it hits 100% CPU, you may need to change something.

Also test link the same way you did But VPN to see if you get 2mbit.

Offline RobinGill

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +0/-0
    • View Profile
Re: IPSEC throughput
« Reply #3 on: January 21, 2012, 03:30:10 pm »
I thought accelerator cards were only really useful for units with very little cpu power such as the alix and soekris boards, and they would actually be slower than a p4?

I would have thought a p4 with any encryption type would easily handle a 2Mb connection?

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: IPSEC throughput
« Reply #4 on: January 24, 2012, 06:33:44 pm »
You don't need a crypto card for 2 Mb on a Geode proc much less a P4. Test the iperf both outside the VPN and inside it and compare, you'll lose some throughput inside the VPN but shouldn't be much. Generally with the description you've provided, the reason for the limit is you can't get your max bandwidth between the sites, or you have other traffic chewing up a chunk of the connection so you don't have the full bandwidth for the VPN.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9995
  • Karma: +3/-0
    • View Profile
Re: IPSEC throughput
« Reply #5 on: January 24, 2012, 07:42:20 pm »
Check with your provider if there is no Qos applied to IPSec or any other protocol.