Testing IPSEC VPN latency

Pinging a vpn remote-gw  end-point is not passing traffic  thru the IPSEC tunnel.  If you goal is to test latency thru the tunnel,  you need to monitor the traffic  that goes thru the  tunnel.

If you want a type of advance-latency monitoring and have a local-subnet allowed thru the  tunnel that uses  TCP, you could craft a  simple checker that measures the timestamp of the TCP  SYN and the response of the SYN-ACK. This will give you  an ideal of "actual" RTT. If you want one-way latency you will have to creative and monitor  A-------> B SYN ( CS ) and  then  B------A SYN_ACK ( SC ) to gather  each path one-way measurement. Latency is not always equal in both directions.

CS = client2server

SC = server2client

Ideally I would like this graphed out, but I do not think there is anything native that would do this.

These could be monitored,  and graph if required.  Example in nagios you would need to write a custom check apply it.

FWIW: the  tunnel-interface has an assigned  SNMP IfIndex and you can graph it just like any physical interface

e.g

FGT40DCHIIL (root) $ show system  interface   VPNCHKP1 | grep snmp-index         set snmp-index 124

Ken