Hi everyone !
I'm facing a really strange problem with IPSec VPN. I configured IPSec tunnel FortiGate to FortiGate on different models (40F - 80F and 100F) all of my VPN tunnels are slow and they not reflecting my bandwidth throughput. I'm on FortiOs 7.0.1
For exemple I have :
- FortiGate-80F <-> FortiGate-80F with a bandwidth of 1Gb/1Gb on both sites. Trough my tunnel, I reach with difficulties about 200Mb/200Mb
- FortiGate-100F <-> FortiGate-80F with a bandwidth of 1Gb/1Gb on 100F sites and a bandwidth of 500Mb/500mb. Trough my tunnel, I reach with difficulties about 200Mb/200Mb
- FortiGate-100F - Fortigate-100F with a bandwidth of 500Mb/500Mb on both sites. Trough my tunnel, I reach with difficulties about 200Mb/200Mb
I tried many options to optimise my tunnel but nothing woks. I tried :
- Set correct MTU on WAN Interface and MSS on Firewall rules (for exemple MTU of 1500 and MSS of 1380) --> no change
- Set different encryptions on my tunnels --> no change
- Disabled ipsec-asic and ipsec-hmac --> no change
This slowness on IPSec seems to be the same on every models and on very configurations... Here is for exemple one of my phase1 config
config ipsec phase1-interface
edit "vpn"
set interface "wan1"
set ike-version 2
set local-gw 1.2.3.4
set keylife 28800
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dhgrp 19 20
set nattraversal forced
set remote-gw 4.3.2.1
set add-gw-route enable
set psksecret Secret
next
end
I really need your help. I don't understand what I'v missed in configuration.
Thanks !
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi everyone !
I continued my investigations. As I can see, the slowness seems to be related to PPPoE interfaces. When I have an interface with static public IP I don't have any slowness...
My question is why on PPPoE it's slow and why not. Is it a MTU problem or ike proposal problem ?
Thanks
Most probably you pinpointed the issue. Your FortiGate F-devices come with a NP6Xlite (SOC4) processor, which like all other NP6 units, can't accelerate PPPoE traffic. See here:
https://docs.fortinet.com/document/fortigate/7.0.1/hardware-acceleration/149012/np6-session-fast-pat...
Sessions that are offloaded must be fast path ready. For a session to be fast path ready it must meet the following criteria:
According to Wikipedia PPPoE uses EtherTypes of 0x8863 and 0x8864 so this traffic won't benefit of the SoC4 acceleration of your device and hence handle all the traffic on the CPU. You should be able to monitor CPU usage while using PPPoE with "get sys perf status" and compare with the CPU usage when using plain IPv4 traffic (if possible). You are probably reaching high levels of CPU usage when PPPoE is in place and potentially reach the limits of these models.
Hi ! Thanks for your return. On my FortiGate-100F my CPU reach approx 4% when I download a file trough SMB and VPN... Seems not related to that for me.
Maybe MTU but I tried 1492 - 1452 and I tried to adjust MSS on WAN and LAN interfaces of the fortigate and there is no change... It drives me crazy :)
Hi,
If you are using PPPoE try switching to DHCP that worked for me.
Had the exact same problem.
Hello,
I don't understand what you have done. II can't switch to DHCP because it's PPPoE and I need to be directly connected with a public IP address.
Did you happen to ever get anywhere with this issue? I am having a similar problem but seeing it with 100MB/100MB pppoe connection having IPSEC traffic going as low as 17MB.
Created on 09-14-2022 11:54 PM Edited on 09-14-2022 11:54 PM
Seems to be very low... Did you try to set the MTU ? With PPPoE it should be 1492. But you can find the correct value with a test ping
I was dealing with a similar situation. I have a FortiGate 100E cluster running on one side and a pfsense running in the other point in different countries, at the pfsense side I have 1Gb/s internet link and on the FortiGate 500Mb/s up and down (dedicated link). I change all the configurations already mentioned and other ones in this forum and I was still getting up to 250Mb/s for the upload from the FortiGate to pfsense using ipsec, without ipsec I can reach 500Mb/s normally, I'm using iperf server package on pfsense side and a linux server on the private network behind the FortiGate firewall as iperf client. After all the changes, tests, I tried to run the iperf test from two servers on the FortiGate private network side and comes out I get the result I was looking for, reaching the 500Mb/s for upload because for the download was working on the first try. Now, I have another thing to look at but I'm sure about the structure supporting the 500Mb/s up and down using the ipsec tunnel.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.