T70/M270 poor VPN troughput

Hi,

I have two sites as described below

site A
200/200Mbps wan link
M270 firewall, 12.5.1 firmware

Site B
1Gb/1Gb wan link
T70 firewall, 12.5.1 firmware

The sites are connected with BOVPN.
I'm transferring backup data between sites, but troughput is quite poor, 4Mbps.

Settings on both sites:

Phase1: IKEv2
AES-GCM(128-bit)
DH14

Phase2:
PFS enabled DH14
ESP-AES128-GCM

If I change Phase2 from ESP-AES128-GCM to ESP-AES-SHA1, I get roughly 180Mbps troughput, which is quite close to saturating the site A WAN connection.
We are planning to upgrade Site A WAN link to 500/500Mbps to increase our backup troughput.
The VPN troughput on T70 and M270 prochure is 740Mbps/1.6Gbps, on what settings is this kind of speeds achieved?

Is there anywhere comparison table for different algorithms speed vs security or what would be the recommended settings to achieve for ~400Mbps troughput ?

Comments

  • Tested AES128,192,256 GCM, they are all giving me 4Mbps troughput. Is this expected result?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Kari

    Throughput between sites on a BOVPN has quite a few moving parts -- the ones that'll be most relevant to the speeds you're seeing are:

    -The slowest upload/download throughput figures between each site
    -The latency between the sites.
    -What you're actually transferring.

    If you're measuring speed using windows file transfers, this will be limited by the protocol. The KB article here suggests ensuring you're on SMB2.0, but aside from that there's not much that can be done other than reduce latency or use a different protocol.

    (Why are SMB/CIFS file transfers so slow over my VPN?)
    https://watchguardsupport.secure.force.com/publicKB?type=KBArticle&SFDCID=kA2A00000000F3JKAU&lang=en_US

    The encryption used will play a small role, as the firewalls themselves mostly have hardware in them to speed up encryption/decryption for IPSEC tunnels.

    If you create a case using the support center link at the top right of the page, one of our technicians can take a look at it with you and help see if anything can be done to speed it up.

    -James Carson
    WatchGuard Customer Support

  • The M270 has an Intel C3558 processor which includes AES support.
    The T70 has an Intel Celeron N3160 processor which does not include AES support - so all AES encryption/decryption will be done via extra CPU cycles.

    Perhaps AES GCM is not supported by the Intel C3558 processor, which could explain what you see.

    No idea what encryption choice was used by WG to get their VPN throughput specs.

Sign In to comment.