FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that when using both IPSec VPN and MPLS/P2P connection at the same time, users might notice that the transferring speed (of the same files) in the IPSec tunnel is usually slower than that of MPLS/P2P connection. The reason is that VPN traffic is encrypted and its latency is also unpredictable over the Internet lines.
Scope
FortiGate.
Solution
A test is conducted in lab with Fortigate 60F device with the following topology:
In this test, a large file (~ 5GB) is transferring between Local_LAN and Remote_LAN, over either MPLS/P2P or IPSec VPN tunnel. The speed is measured and calculated by the iPerf application and SMB protocol. The average speed of the IPSec VPN tunnel is slower than that of MPLS/P2P, significantly. Besides, if npu-offload is disabled in the VPN setting (which means that the traffic was not offloaded by NPU), the speed is even worse.
iPerf (MB/s)
SMB (MB/s)
MPLS / P2P
94.8
90.5
IPSec VPN (enable npu-offload)
56
55.57
IPSec VPN (disable npu-offload)
22.84
18.7
In the real world, the user should also consider the type of Internet line (which is used for the IPSec tunnel); because if it is PPPoE type, it will not support the NPU offload and reduce the IPSec tunnel's performance. The solution is either (1) to switch to an Internet leased-line for a VPN connection or (2) to work with the ISP to change the ISP modem/router's working mode.
