Which firmware are you using in the Fortigates?

5.4.4

We also facing almost same issues with slow vpn (ipsec and SSL) , what are the specs of the WAN connection? 100mbit+?

~30mbits

both sites are 30mbit?

yes. did you manage to solve your issues?

No, in our case is has to do with an WAN line that is 100+ Mbit.

That should be fixed in 5.6.x .

In your case the first suggestion is to upgrade to 5.4.6 because there are some IPSec fixes in that release.

We use a lot of FG60D on our own fiber (3-400 units). They should be able to push 5-700Mbps IF you don't bother it with things to process in CPU. That would be traffic shaping, priority, IPS, BFD etc.

To see the MTU of the interface:

# fnsysctl ifconfig IPSEC IPSEC   Link encap:Unknown [size="2"]        UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1438 Metric:1[/size]         RX packets:173295762 errors:0 dropped:0 overruns:0 frame:0         TX packets:194955503 errors:46 dropped:0 overruns:0 carrier:0         collisions:0 txqueuelen:0         RX bytes:54308250008 (50.6 GB) TX bytes:19829754658 (18.5 GB)

In this case, with 28B Ethernet header, you should get 1410B payload through without fragmentation:

# execute ping-options df-bit yes

# execute ping-options data-size 1410

# execute ping 172.18.76.12 PING 172.18.76.12 (172.18.76.12): 1410 data bytes 1418 bytes from 172.18.76.12: icmp_seq=0 ttl=255 time=1.0 ms

# execute ping-options data-size 1411

# execute ping 172.18.76.12 PING 172.18.76.12 (172.18.76.12): 1411 data bytes

--- 172.18.76.12 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss

You should also verify that the traffic is indeed offloaded to the NPU and that none of the parameters under SOFTWARE are >0;

# diag vpn ipsec status (...) SOFTWARE:         null:   0 0         des:    0 0         3des:   0 0         aes:    0 0         aria:   0 0         seed:   0 0         null:   0 0         md5:    0 0         sha1:   0 0         sha256: 0 0         sha384: 0 0         sha512: 0 0