Skip to main content
fortinetuser2020
fortinetuser2020
New Member
October 22, 2019
Solved

ipsec tunnel settings for best performance

  • October 22, 2019
  • 1 reply
  • 16068 views

i want to setup an ipsec tunnel adjusted for stability and best performance/throughput, ignoring security. the security is not a requirement here

 

fortigate 200e. what's the best settings and proposal needed for best performance and stability, while ignoring security?

 

thank you

    Best answer by emnoc

    I would look at GCM vrs CBC ciphers for performance but the impact might not be that much of anything, but overhead would be less with Galios Counter Mode take a look at "suite-b-gcm-128/256"

     

    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/238852/encryption-algorithms

     

    YMMV 

     

    Ken Felix

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 22, 2019

    Quite a broad question...mainly you're asking for 'best practices'.

    1- performance

    You can only reduce performance by choosing proposals (phase1 and phase2) which are not hardware-accelerated. ATM AES256 is deemed secure, costs less performance than 3DES (ugh) and is run on the SP (ASIC), that is, accelerated.

    I'd rather stay away from EC proposals.

     

    2- stability

    Is IMHO mainly dependent on line stability. If the WAN line glitches, an IPsec tunnel has to renegotiate. (Which BTW reduces throughput as well.).

     

    But you can plan for more stability in the network design. Use redundant tunnels and monitor connectivity with link-monitors. If set up correctly, this minimizes downtime. See to it that switching between tunnels is delayed (with hysteresis) to avoid flapping.

    In FortiOS 5.6 and esp. 6.0 and 6.2 you can achieve all of this with the SD-WAN construct. Recommended.

     

    And one last stability hint: do not use the latest, bleeding-edge firmware version. You never do. v6.0.6 is stable and secure.

    fortinetuser2020
    fortinetuser2020Author
    New Member
    October 22, 2019

    thank you

    so about performance, a good choice with 200e will be aes256 with md5, right?

     

    and about stability, i only have only 1 wan in each side, so the only stability is as good as the stability of my wan lines on each side, right?

    emnoc
    emnocAnswer
    New Member
    October 22, 2019

    I would look at GCM vrs CBC ciphers for performance but the impact might not be that much of anything, but overhead would be less with Galios Counter Mode take a look at "suite-b-gcm-128/256"

     

    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/238852/encryption-algorithms

     

    YMMV 

     

    Ken Felix

    Terms & ConditionsAccessibility statement