Slow Transfer Speeds - IPSec VPN Site to Site Connection

Options
NathanDLD
NathanDLD Posts: 3
First Anniversary First Comment
edited April 2021 in Security
Hello, has anybody had issues with transfer speeds when setting up a site to site IPSec VPN tunnel between to routers in 2 different locations?

The connection is setup properly and stays connected no problem, but the transfer speed seems to be about 1mb every 10 minutes.  I have 15mbps upload speed via speedtest results.

I have tried adding the subnets to the BWM module with a higher priority, and have tried turning it off completely with the speeds remaining the same.

I have also tried a couple of different security settings in the VPN connection and VPN Gateway settings with no change.  I read somewhere that turning off PFS in the Phase 2 settings, but that didn't help either...

Any suggestions on what I can check?  

My Main Office Gateway is a USG110
My Offsite Gateway is a USGW20-VPN

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Options
    Hi @NathanDLD

    It is difficult to give to you a good answer without more information.

    I would check some topics as:
    - CPU on both gateways
    - Number of sessions
    - Throughput
    - Latency
    - Jitter
    - % Packet loss
    ...

    Good luck. 
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @NathanDLD,

     

    We have run a similar lab test between two ZyWALL 110 using FTP file transfer.

    Download the file from FTP server. Transfer speed is around 60-70Mbps.

    We suggest you replace 3DES with AES256 to get better throughput.

    Besides, the throughput may be affected by the performance of the FTP server.

     

    Here is the example for your reference.

    ISP: 100Mbps

    Firewall are enabled on both ZyWALL 110.

    File size on FTP server: 4 GB

    Phase 1: 3DES/SHA1/DH1

    Phase 2: 3DES/SHA1/none

    PC(192.168.1.34)-----(192.168.1.1) ZyWALL 110 ----------VPN-------- ZyWALL 110(192.168.11.1)----FTP server(192.168.11.33)

    Test: PC access FTP server by the server's internal IP address 192.168.11.33 directly.

     

    As @Alfonso said, please share more information such as the phase1/phase2 settings and the transfer protocol in your test scenario with us to check if the throughput is normal.

  • NathanDLD
    NathanDLD Posts: 3
    First Anniversary First Comment
    Options
    Okay, changing 3DES to AES256 in both phases.  Will repost if this changes anything.  Below are relevant settings (I think)...

    ISP - 75 down/ 15 up
    BWM is on, dedicating 5mbps down and 3mbps up for our phone server. (have tried disabling with no change)
    Firewall is on in both routers (USG110 and USG20W)
        Have tried disabling both firewalls to test if that's an issue with no change in results.


    VPN Gateway Settings

    Negotiation Mode: Main
    Phase 1: AES256/SHA1/DH1
    NAT Traversal: Checked
    DPD: Checked

    VPN Connection Settings 

    Nailed Up: Checked
    Enable Replay Detection: UnChecked
    Enable NetBIOS broadcast over IPSec: Checked
    MSS Adjustment: Auto

    Application Scenario: Site to Site

    Enable GRE over IPSec: Unchecked
    Policy Enforcement: Unchecked

    Active Protocol: ESP
    Encapsulation: Tunnel
    Phase 2: AES256/SHA1
    PFS: none

    Everything below zone info is blank/default




  • alexey
    alexey Posts: 188  Master Member
    First Anniversary 10 Comments Friend Collector
    Options
    Hi!
    We start seen low transfer speed. Now i experiment with UTM rules in Ipsec zone.
    Between 2 ZW USG 1100 with 2 diff providers VPN 1 Gbit/s, we have around 150 Mbit/s tranfer speed, instead 800 Mbit/s in Datasheet.
    VPN build on 2 VTI interface in trunk.
    Each phase aes128/sha256/dh2.
    What settings are optimal for the highest ipsec vpn perfomance?
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
     
    To check if the throughput test is normal, please let me know "how you run the test".
    We need to know what application and tool are used in your lab test. (iPerf, FTP transfer, etc)
     
    For example: PC access FTP server by the server's internal IP address 192.168.11.33 directly. 
    PC(192.168.1.34)-----(192.168.1.1) ZyWALL 110 ----------VPN-------- ZyWALL 110(192.168.11.1)----FTP server(192.168.11.33)

  • NathanDLD
    NathanDLD Posts: 3
    First Anniversary First Comment
    Options
    I’m simply looking at the monitor tab > VPN Monitor > IPSEC where it shows uptime and total transfers inbound and outbound.  Since my post on the 28th it says it has transferred 44000 bytes inbound and 50000 bytes outbound.  This is a remote backup which has a couple TB to transfer over to my backup NAS storage device.

    I’ll see if I can get another computer connected over there to test a file, but I can’t test it using these devices (2 x Drobos on 2 separate networks).  I have had them connected for a month now and it’s probably transferred a total of 1GB if I’m lucky.

    i have no paid subscription for any of the UTM services if that matters.
  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Options
    Hi Nathan, just my ten-cents worth concerning  transfers between a peers on a VTI tunnel in different geographic relocations in the same metro WAN (Hong Kong) and two different ISP (PCCW Biznetvigator) HKT fibre and HK i-CABLE (async), Wharf  and HKBN (fibre)  over "fibre" (vdsl??) ... etc etc , regardless of the range of hops.. 

    My experience has been that the overall transfer "speed" between the VTI gateways appears to be the  effective "speed" of the LOWEST performance of up/down {in or out !) or all the VTI physical and logical components.

    I'm advised that this is just "how it is" due to the handshaking of the IKE etc. (true ?? ... seems logical) 

    Rather than watch a UI , we see a broad range of performance between host peers at each end of a VTIx tunnel using data transfers with:
    1. traditional rsych
    2. remote AFP file mounts
    3. remote SMB file mount (with signing off/disabled) 
    4. and ZFS send / receives (ssh) 
    regardless of the host platform...  (FreeBSD, Ubuntu, macOS and even iOS (with appropriate app .. transmit.app, file browser.app  etc)), all the above exhibit similar the same and repeatable "performance" range over a particular VTI tunnel and ISP.

    Given an optimal setup , as here in Home Kong with a so called "1Gig" fibre service from PCCW (HKT) BIZNetvigator between two VTI peers on this same ISP between two locations across the Hong Kong metro WAN (5 hops)  we experience 90GB/hr + with and without a VTI VPN  or GRE type tunnel  .... I've been advised that "we could do better "..  :#

    Thus is seems apparent that a fully synchronous path between the VTI tunnel will provide optimal results.

    BTW we use AES128 and SHA512 on VPN connection P2  and  don't notice any performance hit on large heavy haul transfers or trivial transactions (web pages)  etc.. 


    I'd certainly like to know of others experiences.

    HTH

    Warwick
    Hong Kog. 

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)