Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Expected Bandwidth through IPSec VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 04-10-2007 03:20 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Expected Bandwidth through IPSec VPN
We have established a point to point IPSec VPN between two sites using an FGT3600 and an FGT800
All traffic between the two sites goes via this VPN
Testing shows that bandwidth through the VPN is around 10% of that available on the link without IPSec VPN. So encryption and decryption takes up around 90% of the available bandwidth.
Is this what I should expect? or is there a fix or a way of ' tuning' the circuit or VPN to improve things?
Other firewall manufacturers publish figures for expected throughput on IPSec VPN circuits but Fortinet do not appear to do so.
Thanks
6036
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure this makes sense, could you please elaborate?
do you mean if you copy data from site to site without going via the ipsec tunnel, its 10 times more bandwidth? not sure how you can compare the two easily.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: UkWizard Not sure this makes sense, could you please elaborate? do you mean if you copy data from site to site without going via the ipsec tunnel, its 10 times more bandwidth? not sure how you can compare the two easily.I' ll try to make my question a little clearer -- Simple comparison tests were carried out initially: 1) We transferred a file of approx 1.2Gbyte using FTP through the VPN tunnel. The FTP program reported that the file was transferred at 380 kbits/s. 2) The same file was then transferred with the same FTP program between the same two end machines but not via the VPN. To do the comparisons I set up a policy which used NAT on the remote firewall in order to by-pass the VPN tunnel. This time the FTP program reported that the file had transferred at 3.42Mbits/s. So this indicates to me that transferring data through the VPN is considerably slower and appears to offer only 11% throughput compared to transfers external to the VPN. This test was repeated a number of times and the average was closer to 10% of the throughput available without using VPN. We also used a bandwidth measuring tool " iperf" which indicates the same difference between VPN and non-VPN traffic Reading the specification for the firewall as suggested by Abel in another reply: http://www.fortinet.com/doc/FGT200_800DS.pdf This PDF shows that the FGT800 has a firewall throughput of 1Gbit/s and IPSEC VPN (168-Bit Triple DES) throughput of 200Mbit/s. So if I interpret this to read that the VPN throughput is expected to be 20% or possibly less compared to firewall throughput (or the maximum bandwidth between the two firewalls?) then I suppose the throughput we have measured of around 10% is only half of what we might have been lead to expect. i.e. if the maximum bandwidth available between the two firewalls is around 4Mbit/s then we may not expect to achieve better than 800kbit/s through the VPN tunnel. Maybe other firewalls offer better thoughput on VPN. The specifications for the FGT200A for instance appears to show VPN throughput near to 50% of firewall throughput with figures of 70Mbps and 150Mbps respectively. I suppose it all depends on how we interpret published figures. My original question should have been-- Has anyone else compared traffic through an IPSec VPN tunnel with a direct connection and have they seen similar differences in throughput? I suspect now that anyone answering YES to the first part of this question will also answer YES to the second part. Some general points to note: a) The Fortigates at each end of the link are connected to routers which have 100Mbit/s full duplex interfaces. Hence neither connects at 1Gbit. b) The link between the two Fortigates has 11 router hops including the the two routers mentioned in a) above. This may indicate why our maximum achievable available bandwidth is around 4Mbit/s. We are addressing improved available maximum bandwidth between the two sites as a separate issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this what I should expect?I don' t think so
or is there a fix or a way of ' tuning' the circuit or VPN to improve things?you have the option of ' traffic shape' vpn firewall policy
Other firewall manufacturers publish figures for expected throughput on IPSec VPN circuits but Fortinet do not appear to do so.You have that info in each product pdf datasheet from fortinet' s site http://www.fortinet.com/products/enterprise.html in your case
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: abelioAbel Thanks for the info. I just need to sit down and try to interpret the information in the PDF file correctly. Tom.Is this what I should expect?I don' t think soor is there a fix or a way of ' tuning' the circuit or VPN to improve things?you have the option of ' traffic shape' vpn firewall policyOther firewall manufacturers publish figures for expected throughput on IPSec VPN circuits but Fortinet do not appear to do so.You have that info in each product pdf datasheet from fortinet' s site http://www.fortinet.com/products/enterprise.html in your case
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying you have a 100Mb connection between the sites then?
take the paper spec' s with a pinch of salt, as this max throughput ratings are when EVERYTHING ELSE is turned off, ie IPS/AV/AUTH ETC.
When you done the tests, did you insure that AV was turned off, and that you are not getting Mb (bits) and MB (Bytes) mixed up?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ll try to answer your questions below:
ORIGINAL: UkWizard Are you saying you have a 100Mb connection between the sites then? take the paper spec' s with a pinch of salt, as this max throughput ratings are when EVERYTHING ELSE is turned off, ie IPS/AV/AUTH ETC. When you done the tests, did you insure that AV was turned off, and that you are not getting Mb (bits) and MB (Bytes) mixed up?I wish we did have 100Mbit/s between sites. Since we do not have a dedicated link end to end we are constrained by the weakest link in circuit path between the two sites. At the remote site all interfaces including that to the external router are 100Mbit full duplex. The external router belongs to a service provider and we have no knowledge of what happens i.e. what inteface speeds exist beyond that point. Traceroute output shows that average response times start to exceed 10mS after the 6th hop with avaerage response time for the remote router being around 18mS. As I said we are talking to the provider about how we can improve end to end overall bandwidth. However even if we had a 100Mbit/s dedicated circuit I would like to know what VPN throughput we could expect to achieve. Will it always be around 10% of the circuit bandwidth? All IPS and AV etc are turned off on bothe firewalls. I don' t think I' m mixing my bits with my bytes just reporting the results I get. Below is a typical output from the " iperf" program. Note this is cut and paste from the program output. Details of " iperf" are available at the following URL: http://dast.nlanr.net/Projects/Iperf/ Sample output from the bandwidth measuring tool " iperf" is shown below. Sample 1 shows the iperf results when traffic goes directly out to the internet from the firewall via a NAT policy. Sample 2 shows iperf results when traffic goes via the IPSec VPN tunnel. Sample 1 ======== C:\iperf>iperf -c 129.234.2.39 ------------------------------------------------------------ Client connecting to 129.234.2.39, TCP port 5001 TCP window size: 8.00 KByte (default) ------------------------------------------------------------ [1916] local 193.60.196.1 port 4049 connected with 129.234.2.39 port 5001 [ ID] Interval Transfer Bandwidth [1916] 0.0-10.0 sec 4.09 MBytes 3.42 Mbits/sec Sample 2 ======== C:\iperf>iperf -c 129.234.2.39 ------------------------------------------------------------ Client connecting to 129.234.2.39, TCP port 5001 TCP window size: 8.00 KByte (default) ------------------------------------------------------------ [1916] local 193.60.196.1 port 4058 connected with 129.234.2.39 port 5001 [ ID] Interval Transfer Bandwidth [1916] 0.0-12.0 sec 672 KBytes 459 Kbits/sec Thanks for your questions. They help me to think through the problem to see if there is anything I have missed. Best regards Tom
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to keep in mind that you are comparing apples and pears.
If you are copying a file via SMB protocol to another windows machine via the tunnel the thru-put is heavily suffering by the latency of the connection. Whereas FTP doesn' t has this drawback.
You should be comparing FTP thru the tunnel and FTP via the internet. Then you can have a rough idea what the IPsec overhead is.
I would expect the overhead of IPsec to be around 15-20%.
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like the iperf tool is a load of rubbish, its mixing bits and bytes. hence the 10% confusion.
Because typically 10Mbit gives about 1MByte throughput. (note 10% less)
the sample 1 you posted shows it almost the same for bits and bytes, which is rubbish.
suggest using a different tool to test it.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,846 -
FortiClient
1,793 -
5.2
801 -
FortiManager
752 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
485 -
FortiAP
478 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
325 -
SSL-VPN
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
220 -
FortiWeb
212 -
FortiNAC
197 -
5.0
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
111 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
82 -
Customer Service
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
38 -
SAML
38 -
NAT
37 -
Certificate
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
30 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
FortiGate-VM
26 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiPortal
20 -
FortiSwitch v6.2
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1749 | |
| 1114 | |
| 765 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.