FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rishab444
Staff
Staff
Article Id 379076

 

Description This article describes some of the common factors affecting the IPSec VPN throughput and its limitations.
Scope FortiOS.
Solution
  1. One of the most common concerns is with the IPSec bandwidth being less or not symmetric with the Internet Speed or Underlay Bandwidth. This is an expected behavior as an overhead(including encryption headers) is added over the raw bandwidth of a link and cannot have full link speed over the VPN channel.

  2. The selection of the Security Association, the throughput also relies on the Encryption, Authentication, or Diffie-Hellman group used to form the IPSec connection.
    The more secure authentication methods and DH group use longer keys which have an impact on header size and sending comparatively less data per packet and the effect can be seen on overall throughput.

    For instance: SHA1 uses a 160-bit message digest while SHA256 uses a 256-bit digest.

  3. Hardware device selection, each device has its own limitation to the throughput. For instance:
    1. A 1000F has a maximum IPsec VPN Throughput (512 bytes) up to 55 Gbps when using AES256‑SHA256.
      FortiGate 1000F Series

      1000Fe.png                           
    2. A 60F has a maximum IPsec VPN Throughput (512 bytes) of up to 6.5 Gbps when using AES256‑SHA256.
      FortiGate FortiWiFi 60F Series


60Fe.png

 

  1. Another common assumption is if the Download speed is 100 Mbps, the IPSec must be in sync with this. However the IPSec also deeply relies on the Upload speed of the connection as the IKE packets after encryption need to be uploaded with overheads and then integrated at the end of the link.  

Related articles:
Technical Tip: How to troubleshoot speed issue through IPsec tunnel using iPerf tool

Troubleshooting Tip: How to troubleshoot speed or bandwidth related issues over Site-to-Site IPsec t...