IPSec Site2Site VPN Performance - which is the best configuration?

lightskyblue
lightskyblue Posts: 1  Freshman Member
edited April 2021 in Security
Hi there

We are using a IPSec Site2Site VPN.
At each site there is a Zyxel VPN300 with fiber wan (1Gbps/1Gpbs).

There are several options for IKE (IKEv1, IKEv2), Encryption (DES, 3DES, AES128, AES192, AES256), Authentication (MD5, SHA1, SHA256, SHA512) and also Perfect Forward Secrecy (DH1, DH2, DH5, DH14).

Are there some "best practises"?
Which is the best mix between security and performance?
What are your experiences?
Does the new VPN300 models have some special CPU support for some encryption methods?

Best regards

Comments

  • Blabababa
    Blabababa Posts: 150
    5 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    @lightskyblue
    The encryption/hashing algorithm should be chosen by users themselves. I think there is no so called “best practice” but more likely a tradeoff between “Security” and “Throughput”. If you use a complex algorithm to encrypt your data, it consumes the CPU and sure the throughput will be lower. 


Security Highlight