I'm facing a really strange problem with IPSec VPN. I configured IPSec tunnel FortiGate to FortiGate on different models (40F - 80F and 100F) all of my VPN tunnels are slow and they not reflecting my bandwidth throughput. I'm on FortiOs 7.0.1
For exemple I have : - FortiGate-80F <-> FortiGate-80F with a bandwidth of 1Gb/1Gb on both sites. Trough my tunnel, I reach with difficulties about 200Mb/200Mb
- FortiGate-100F <-> FortiGate-80F with a bandwidth of 1Gb/1Gb on 100F sites and a bandwidth of 500Mb/500mb. Trough my tunnel, I reach with difficulties about 200Mb/200Mb
- FortiGate-100F - Fortigate-100F with a bandwidth of 500Mb/500Mb on both sites. Trough my tunnel, I reach with difficulties about 200Mb/200Mb
I tried many options to optimise my tunnel but nothing woks. I tried : - Set correct MTU on WAN Interface and MSS on Firewall rules (for exemple MTU of 1500 and MSS of 1380) --> no change - Set different encryptions on my tunnels --> no change - Disabled ipsec-asic and ipsec-hmac --> no change
This slowness on IPSec seems to be the same on every models and on very configurations... Here is for exemple one of my phase1 config
config ipsec phase1-interface edit "vpn" set interface "wan1" set ike-version 2 set local-gw 22.214.171.124 set keylife 28800 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set dhgrp 19 20 set nattraversal forced set remote-gw 126.96.36.199 set add-gw-route enable set psksecret Secret next end
I really need your help. I don't understand what I'v missed in configuration.
Sessions that are offloaded must be fast path ready. For a session to be fast path ready it must meet the following criteria:
Layer 2 type/length must be 0x0800 for IPv4 or 0x86dd for IPv6
According to Wikipedia PPPoE uses EtherTypes of 0x8863 and 0x8864 so this traffic won't benefit of the SoC4 acceleration of your device and hence handle all the traffic on the CPU. You should be able to monitor CPU usage while using PPPoE with "get sys perf status" and compare with the CPU usage when using plain IPv4 traffic (if possible). You are probably reaching high levels of CPU usage when PPPoE is in place and potentially reach the limits of these models.
I was dealing with a similar situation. I have a FortiGate 100E cluster running on one side and a pfsense running in the other point in different countries, at the pfsense side I have 1Gb/s internet link and on the FortiGate 500Mb/s up and down (dedicated link). I change all the configurations already mentioned and other ones in this forum and I was still getting up to 250Mb/s for the upload from the FortiGate to pfsense using ipsec, without ipsec I can reach 500Mb/s normally, I'm using iperf server package on pfsense side and a linux server on the private network behind the FortiGate firewall as iperf client. After all the changes, tests, I tried to run the iperf test from two servers on the FortiGate private network side and comes out I get the result I was looking for, reaching the 500Mb/s for upload because for the download was working on the first try. Now, I have another thing to look at but I'm sure about the structure supporting the 500Mb/s up and down using the ipsec tunnel.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.