Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AnonymusUser
New Contributor III

Created on ‎03-04-2025 02:00 AM

IPsec VPN speed issues.

Hello, we utilized IPsec VPN last month, and several of our remote users

are expressing concerns about sluggish internet speeds when they activate the VPN. 
Certain users have had their connections reduced by 50%, while others have faced a decrease of 80%. 

Kindly be aware that the remote server is located a significant distance from the remote users.

Is there something we can do to improve their speed?

Labels:
174
0 Kudos
2 REPLIES 2
Jean-Philippe_P
Moderator
Moderator

Created on ‎03-06-2025 09:53 PM

Hello AnonymusUser, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
107
0 Kudos
Jean-Philippe_P
Moderator
Moderator

Created on ‎03-07-2025 01:48 AM

Hello again,

 

Can you check if these steps can help you, please?

 

  1. Enable IPsec Soft Dec Async:
    - For FortiGate VMs in AWS, enable the `ipsec-soft-dec-async` setting to distribute and decrypt IPsec sessions using available VM cores.
    - Configuration: `# config system global set ipsec-soft-dec-async enable end `

  2. Optimize Network Card Settings:
    - Ensure the network card’s transmit queue (`txqueuelen`) is set appropriately.
    - Check settings for TCP segmentation offload (TSO), generic segmentation offload (GSO), and checksum offloading.

  3. Use AEAD algorithms like AES-GCM for encryption and integrity protection, as they are faster and supported by modern CPUs.

  4. Enable NPU Offload: If using FortiGate devices, ensure NPU offload is enabled to improve performance by offloading processing to network processors.

  5. Optimize Outbound Hashing: For FortiGate 3960E and 3980E, configure outbound hashing to distribute IPsec traffic efficiently among NP6 processors.

  6. Consider Internet Line Type: Use an Internet leased line instead of PPPoE for better support of NPU offload and improved performance. 

Hope this will help you :)

Jean-Philippe - Fortinet Community Team
83
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.