Hi folks,
I have got a IPSEC Site 2 Site VPN between 2 Fortigate Appliances:
1x Fortigate 60D connected to the Internet 12/12 Mbit: v5.0,build0310 (GA Patch 11)
1x Fortigate 100D connected to the Internet 20/20 Mbit: v5.0,build0310 (GA Patch 11)
We have got a Database Application running which transfers a small amount of data through the tunnel (a few MB for login for example). Although the speed of the connection is not that slow, it lasts 2 minutes until we get the loginscreen.
So I started Wireshark and got the following capture (log.jpg).
Really don't know why there are malformed packets with IPA Protocol (192.168.10.248 is the databaseserver IP). Is Wireshirk missinterpreting the protocol eventually?
VPN Phase 1:
Remote Gateway static IP Mode: Main
Preshared Key
Accept any peer ID
Enable IPSec Interface Mode: NO
IKE Version 1
P1 Proposal 1 - Encryption AES 256 Authentication SHA1
DH Group 5
Keylife 28800
Xauth Disable
NAT Traversal Enable
Keepalive Freq. 10
VPN Phase 2: P2 Proposal 1 - Encryption AES256 Authentication SHA1
Enable Replaydetection YES
Enable prefect forward secrecy PFS YES
DH Group 5
Keylife Seconds 1800
Auto Keep Alive Enable
Quick Mode Selector Source and Destination Adress specified
I have no idea what is causing the slow down... :(
Any hints are welcome!
Daniel
Have you tested other tcp based applications for slowness? IPA runs over tcp so if you suspect it and vpn peformance test other tcp based applications ( telnet, ftp, ssh, etc,,, )
PCNSE
NSE
StrongSwan
I'm having the same problem. We just have other encryption settings (3DES / MD5). Performance is very slow (less than 3 MBit; and we have 30 MBit symetric WAN connection).
Anyone any idea? What to do? How to find the reason?
BR C
Nice Thread.
We just connected one Fritzbox 7490 (FW6.30) site to site with FG 60D FW 5.2.3 #670, IPSEC 3DES-SHA1 Tunnel.
Internet is: 200down/25up on FG60D and 50down/10up on Fritzbox. Files should downloaded at Fritzbox.
We know max Performance on Fritzbox is about 20Mbit with Site to Site VPN Tunnel.
The Performance (File Copy with to Windows PC) is aktually "only" 6Mbit in both directions.
Sequential Read : 0.688 MB/s, Sequential Write : 0.615 MB/s
I would prefer the Performance should be 20 Mbit (Upload on FG60D and Download on FB 7490) and about 10 Mbit in the other way. Without VPN the speed is nearby maximum Line Speed.
At FG 60D no UTM Profiles are currently used. Only one Policy for the VPN Tunnel.
So is this possible, that FG60D has such a poor VPN IPSEC Performance?
Any ideas for better performance?
Thx Martin
help by my self:
change phase1 and phase 2 encryption from 3DES to AES256 an the performance rices double!
Now, i get 1,3 Mbyte/sec Windows to Windows File Exchange Performance (about 10 Mbit) in both directions.
Regarding the Malformed packets. I have troubleshot this before and this was due to our Geo redundant platform setup. Where 2 mirror Fortigates one active and one standby controlled by BGP fail over. The standby peer had auto-negotiate on for the phase 1 which causes it to actively reach out to the remote peer to establish the phase1 connection, which was undesirable. This essentially causes the phase1 not to come up, which the errors being Malformed packets. I have also seen it on when the remote peer was a SonicWall and the PSK had a mismatch.
Regarding performance, try turning off the reply detection on your phase2, this will auto-enable the npu offload. When on you have to manually enabled the feature.
config system npu set enc-offload-antireplay enble set dec-offload-antireplay enable set offload-ipsec-host enable end
====and make sure=====
config firewall policy edit 0 set auto-asic-offload enable end
next, Regarding performance, I have troubleshot some ERP Database applications through a VPN with poor performance. The fix to that issue was to increase the session TCP TTL to be like 8+ hours, you can set this for particular ports also.:
config system session-ttl set default 28800 end
I hope this helps
good luck
JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
Yes, I agree with the previous post.
Offloading the VPN traffic to NP should increase the performance.
On the new versions, disabling the replay detection is the only thing needed. However, on the earlier firmware versions, you need to set the local-gw as the WAN IP in phase1 setting as well.
Hope that helps
Any better if you use IKEv2 ?
discoscott wrote:Any better if you use IKEv2 ?
There is no support for IKEv2 on Fritzbox in the moment
I would look at the crypto status and validate that noting is process switch via software;
e.g
diag vpn ipsec status
In my experience, various ciphers offer a slight improvement over others. You would be best to test this in a control lab using a set packet size and with udp and once again with iperf/jperf or similar if you want to gain ever inch of performance out of your ipsec tunnels.
BTW: I'm really surprised that fritzbox didn't have ikev2 support. I would thought the 7490s would have it by now.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.