Fortigate IPSEC best cipher for performance

Question

Hi,

I did some comparison for throughput of Fortigate IPSEC tunnel on AWS. Here are my findings:

Encryption load is not scaled between multiple CPU cores (not a surprise)
A more complex (higher DH-group or hash function) does not result in worse performance
AES256GCM (and other non AES-CBC algorithms) were a (bad) surprise

Given that additional CPU cores did not improve the throughput, I only tested instances with 2 vCPUs.

Instance c7i.large, aes256-sha512 dh-group 21: 2 Gbit/s

Instance c5n.large, aes256-sha512 dh-group 21: 1.43 Gbit/s

Instance c7i.large, aes256gcm dh-group 21: 70 Mbit/s (!)

Is there any guidance available which is the best (most optimized) instance / cipher combination to get max throughput on AWS ec2?

MarkusM · Accepted Answer

Hi, thanks for the feedback.My test was between Fortigate VMs on AWS.FYI: Upgrading from FortiOS 7.4.11 to FortiOS 7.6.6 made a great difference. Now it looks much better using aes256gcm ciphers:c5n.large: 2.5 Gbit/s at 40% CPU (1 core) usagec7i.large: 4.5 Gbit/s at 40% CPU (1 core) usageSo we are now hitting the AWS ec2 instance bandwidth limits and not the CPU limits anymore.

JoerVan · Answer

Hi Markus,

Thank you for posting your results. It is possible to use multiple CPU for encryption or decryption. This can be done by using multiple tunnels between 2 FortiGate VMs or using the round-robin function (https://community.fortinet.com/t5/FortiGate/Technical-Tip-The-ipsec-round-robin-setting-on-FortiGate-has/ta-p/418481).

You will also see that cloud providers will indicate that their VPN gateway can do 10Gbit it is a combined value for all tunnels where each tunnel is limited to around 1.25Gb/s.

Feel free to reach out via DM or via email for additional conversation on the performance.

Regards,

Joeri

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded