Skip to main content
Niall_Kelly
Niall_Kelly
New Member
July 10, 2013
Question

Slow Throughput over IPSEC VPN

  • July 10, 2013
  • 8 replies
  • 25188 views
Hello, We are using 2 X Fortigate 310 B V4.0 MR1 in a site to site /point to point configuration. We have a IPSec VPN between both devices but we are gettting a very poor throughput speed between both devices over the vpn. The point to point connection speed is 1 Gb but we are only achieving a max speed of 300 mbs. If we avoid going over the vpn and dont send traffic encrypted we get 900 mbs. We have tricked around with encryption settings to no avail. Does anyone have a similare issue? Regards, Niall

    8 replies

    rwpatterson
    rwpatterson
    New Member
    July 10, 2013
    Welcome to the forums. Have you looked into packet fragmentation?
    Niall_Kelly
    Niall_KellyAuthor
    New Member
    July 11, 2013
    you looked into packet fragmentation?
    Hi, Many thanks for the response. No we havent really investigated Packet Fragmentation yet. Would you have any suggestions / best practices regarding this? Thanks, Niall
    Niall_Kelly
    Niall_KellyAuthor
    New Member
    July 11, 2013
    Actually, sorry for confusion we have allowed for jumbo frames with an mtu of 9216 on the switch ports which the Forinet is connected to. Is there any that needs to be done on the Fortinet to allow for this? Thanks, Niall
    romanr
    romanr
    New Member
    July 11, 2013
    Hi, the switch port settings won' t have much effect. What is your MTU setting on this L3 network? To see if your packets get fragmented sniffing on one of the sides will be necessary. If you want to reach this high throuput you will also really need the NP2 IPSec acceleration - So have you followed the guidelines of the Fortigate Hardware manual? There are plenty of rules to follow to reach the performance numbers from the datasheet!!! Can you post the results of: diagnose vpn ipsec status br, Roman
    Niall_Kelly
    Niall_KellyAuthor
    New Member
    July 11, 2013
    Thanks for the Post Romanr Yes I believe we are using teh NP2 acceleration - the ports in use are NP2 powered ports. I will check the manual again.Below is output from that command: #diagnose vpn ipsec status All ipsec crypto devices in use: NP2-0 null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 NP2-1 null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 NPU HARDWARE null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 CP6: null: 0 0 des: 0 0 3des: 78496898028 26028908419
    romanr
    romanr
    New Member
    July 11, 2013
    Hi, as you can see from the stats - your 310B is running the IPSec from the CP6 and not on the NP2, which would be much faster! You need the local-gw parameter set on your IPSec phase 1 settings!! I' d guess you miss that one! Also consider upgrading to the latest 4MR2. br, Roman
    Niall_Kelly
    Niall_KellyAuthor
    New Member
    July 12, 2013
    Thanks for the quick response. Ok it looks like you are right. I inherited this device so I didnt do the original config. It looks like I will have to recreate the Phase 1 as the existing Phase 1 does not allow me to specify a local gw in order to configure the NP2. I will make this change over the weekend and will report my findings. Thanks, Niall
    Carl_Wallmark
    Carl_Wallmark
    New Member
    July 12, 2013
    I think you can add the local-gw from CLI: config vpn ipsec phase1-interface edit <tunnel> set local-gw x.x.x.x end
    romanr
    romanr
    New Member
    July 12, 2013
    Hi, as Selective mentioned - this change can be done on the CLI without the need to delete! Have also a look on the following settings (only via CLI): config system npu show full Should look like this: config system npu set dec-offload-antireplay enable set enc-offload-antireplay enable set offload-ipsec-host enable end br, Roman
    Niall_Kelly
    Niall_KellyAuthor
    New Member
    July 12, 2013
    Thanks Guys, So do I not need to follow the scenario guidlelines..ie....for a policy based IPsec do the following? Accelerated policy-based VPN configuration To configure FortiGate_1 1. Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 1. 2. Configure Phase 1 settings (name FGT_1_IPsec), plus • Select Advanced. • Ensure that the Enable IPsec Interface Mode check box is not selected. • In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.1, which is the IP address of FortiGate_1’s FortiGate-ASM-FB4 module on port 2. 3. Select OK. 4. Select Create Phase 2 and configure Phase 2 settings, including • Select Enable replay detection. • set enc-offload-antireplay to enable using the config system npu CLI command. 5. Go to Policy > Policy > Policy. 6. Configure an IPsec VPN policy to apply the Phase 1 IPsec tunnel you configured in step 2 to traffic between FortiGate-ASM-FB4 module ports 1 and 2.
    romanr
    romanr
    New Member
    July 12, 2013
    Hi, I don' t know wheter you use Tunnel or Policy mode vpn. In both offloading should be possible. You need to have - the local-gw parameter in the phase1 config config set to the local ip of your interface terminating this tunnel - this interface needs to be either a port on the NP2 or a vlan interface on one of the NP2 ports or lacp trunks there! - the " config system npu" parameters properly set as mentioned in the hardware manual - your encryption parameters must be offloadable - as stated in hardware manual. Everything else is same with any tunnel.... To see if your tunnel is offloaded use the following diag command: diagnose vpn tunnel list An offloaded tunnel will have an additional line on the bottom like this: npu_flag=03 npu_rgwy=XX.XX.XX.XX npu_lgwy=YY.YY.YY.YY npu_selid=3, dec:pkts/bytes=10625/5965258, enc:pkts/bytes=18860/3877627 br, Roman
    Terms & ConditionsAccessibility statement