Site-Site IPsec VPN throughtput single connection bandwidth limit?

starkaero · March 13, 2020, 8:21pm

Hello Everyone, I currently have a site to site vpn setup using IPsec that I can not figure out why connections are limited to about ~20Mbit in both directions when they are a single connection. But if I run a parallel iperf test I can saturate the full download speed of Site B. Is anyone aware of a bandwidth limit per connection on IPsec vpn’s?

Background info
Site A
1000/1000 Fiber
Pfsense Firewall

Site B
200/20 cable
Sonicwall

VPN Settings
Phase 1 AES 256bit SHA256 DH5
Phase 2 Protocol ESP AES 256bit SHA256 PFS key group 5

LTS_Tom · March 13, 2020, 11:50pm

IPsec is limited by the speed of the hardware Netgate has the performance of this systems listed here:
https://docs.netgate.com/pfsense/en/latest/book/hardware/hardware-sizing-guidance.html

starkaero · March 14, 2020, 12:54am

Thanks Tom!

I took a look at that article and I think the issue is likely the states table (400000). I figured with the cpu power for the pfsense box running a Xeon (4threads) it should not matter, but now I think it’s kneecapped by its’ ram capacity (4gb).

You wouldn’t have any insight into why iperf3 would still be able to overcome the limits when 10 parallel connections are ran in test a compared to a test on a single connection?

FredFerrell · March 14, 2020, 3:05am

One thing to consider is latency and TCP windowing. When you run multiple threads/streams you will get higher throughput as long as you don’t saturate your internet connection. As you pointed out, your lowest ceiling for sending traffic to Site B is 200Mbit. The slowest part of your communication is the ACK back to the sender. If latency is high, it will affect your throughput since it has to wait longer for the ACK. When you run multiple streams (parallel connections) this process is likely staggered and therefore you get near full throughput.

starkaero · March 14, 2020, 4:32am

Thanks Fred

Latency between the sites is pretty jittery and higher than I would like. 50-110ms. Maybe some day site b will get fiber.

Thanks again

FredFerrell · March 14, 2020, 5:02pm

Latency has more to do with the distance between sites than anything else so regardless of what provider or type of circuit you get it won’t really change.

starkaero · March 14, 2020, 5:18pm

Absolutely, as well as the design of the isp’s network and peering agreements. Such as in this case the locations are only separated by 10 miles as the crow flies, but the network design of the cable isp causes the data to travel 300+ miles in this case.