I'm facing a really strange problem with IPSec VPN. I configured IPSec tunnel FortiGate to FortiGate on different models (40F - 80F and 100F) all of my VPN tunnels are slow and they not reflecting my bandwidth throughput. I'm on FortiOs 7.0.1
For exemple I have : - FortiGate-80F <-> FortiGate-80F with a bandwidth of 1Gb/1Gb on both sites. Trough my tunnel, I reach with difficulties about 200Mb/200Mb
- FortiGate-100F <-> FortiGate-80F with a bandwidth of 1Gb/1Gb on 100F sites and a bandwidth of 500Mb/500mb. Trough my tunnel, I reach with difficulties about 200Mb/200Mb
- FortiGate-100F - Fortigate-100F with a bandwidth of 500Mb/500Mb on both sites. Trough my tunnel, I reach with difficulties about 200Mb/200Mb
I tried many options to optimise my tunnel but nothing woks. I tried : - Set correct MTU on WAN Interface and MSS on Firewall rules (for exemple MTU of 1500 and MSS of 1380) --> no change - Set different encryptions on my tunnels --> no change - Disabled ipsec-asic and ipsec-hmac --> no change
This slowness on IPSec seems to be the same on every models and on very configurations... Here is for exemple one of my phase1 config
config ipsec phase1-interface edit "vpn" set interface "wan1" set ike-version 2 set local-gw 220.127.116.11 set keylife 28800 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set dhgrp 19 20 set nattraversal forced set remote-gw 18.104.22.168 set add-gw-route enable set psksecret Secret next end
I really need your help. I don't understand what I'v missed in configuration.
Sessions that are offloaded must be fast path ready. For a session to be fast path ready it must meet the following criteria:
Layer 2 type/length must be 0x0800 for IPv4 or 0x86dd for IPv6
According to Wikipedia PPPoE uses EtherTypes of 0x8863 and 0x8864 so this traffic won't benefit of the SoC4 acceleration of your device and hence handle all the traffic on the CPU. You should be able to monitor CPU usage while using PPPoE with "get sys perf status" and compare with the CPU usage when using plain IPv4 traffic (if possible). You are probably reaching high levels of CPU usage when PPPoE is in place and potentially reach the limits of these models.