performance tuning for RDP over mobile user VPN

Hello,
i noticed some difference in performance between L2TP and SSL client.
is this due to MTU size or encryption settings ?
i would prefer SSL client but performance for RDP is very important ( CAD, Autocad over RDP / homeoffice )

any suggestions ?

xtm330 / OS 12.1.3

Comments

  • Try using UDP for SSLVPN instead of TCP

  • @Bruce_Briggs said:
    Try using UDP for SSLVPN instead of TCP

    ok i will try it

    currently encryption is set to AES256, would AES128 or 3DES speed up encryption on weak clients ?

  • Could well be that the firewall does not do SSL encryption, whereas it does for IPSec and L2TP.

    In any case, lower encryption should be faster.

  • I wouldn't go lower than AES128.

  • Bruce nailed it with "Could well be that the firewall does not do SSL encryption, whereas it does for IPSec and L2TP."

    The SSLVPN encryption is done in software, while an IKEv2 VPN has hardware encryption support in the Firebox. My IKEv2 VPN is faster and more stable than my SSLVPN has ever been.

    Gregg Hill

  • edited March 2020

    @Bruce_Briggs said:
    Try using UDP for SSLVPN instead of TCP

    i set:
    data channel to UDP 443
    config channel to TCP 443

    after that the vpn shows strange behaviour
    i cannot access www any more

  • edited April 2020

    If you use DNSWatch, then you can't use UDP port 53 for SSLVPN.
    You can use UDP pot 443, os a different UDP port, such as 4443.
    You will need to append the port number being used at the end of the Server IP addr/FQDN
    111.222.333.444:4443

  • ok , i did plenty of testing today
    going to UDP causes a MTU problem. reducing MTU solved the problem.

    UDP indeed is twice as fast

  • New Video - recommends using UPD port and using an AES-GCM for encryption for improved performance:
    Optimize Mobile VPN with SSL
    https://watchguard.us13.list-manage.com/track/click?u=1bcb692e17a1463ca874e0ce2&id=17a9d1168a&e=cae878f58b

  • Saw that as well. TESTING is highly recommended if you are considering this change as outbound UDP 443 may (should) be blocked. The HTTPS Proxy does NOT include UDP.

    I'll be testing this change in my own environment this week.

  • UDP is just the transport tunnel from the client to the firewall.
    HTTPS packets, etc. will be encapsulated within the SSLVPN tunnel - whether the tunnel us TCP or UDP.

Sign In to comment.