Painfully slow Mobile VPN - but what's better?

For my one client using Mobile VPN, called Train Trax Inc, the main office has a fiber ISP connection with 1Gb up and down. For users connecting via Mobile VPN to access the file server, they get 5Mb up/down on average, but it could be 7Mb sometimes and other times it could be 3Mb.
For my other client using Mobile VPN, called Steel Wires Inc, the main office has 1Gb down/300Mb up coax, and their users are also getting a 5Mb up/down with the plus/minus of 2Mb.
I've ruled out the users' web speeds by testing using my own remote connection via Mobile VPN...which max's out at 7Mb at either main office...and I have 1Gb up/down fiber. What gives? I've seen the article about slow SMB/CIFS transfers (article ID 000013599), but is there a better alternative? I can send all these users their own WatchGuard to create a better vpn/protocol connection, but wanted to bounce this off you guru's first.

Comments

  • Which Mobile VPN type are you using? SSLVPN is slow, but should not be THAT slow. IKEv2 VPN is faster than SSLVPN.

    Gregg Hill

  • Thanks for chiming in Gregg! I'm using Mobile VPN with SSL, routed VPN traffic, SHA1 authentication, AES-256 encryption, port 443. How fast you getting on IKEv2? I might just turn that on and see what happens.

  • edited September 2021

    The last time I used my SSLVPN was pre-lockdown. I was at Starbucks and I had 200 x 10 Spectrum Cable service at home, so I never could go over 10Mbps anyway, nor seemingly get even close.

    Now I have 500 x 500 Frontier FiOS at home, but I cannot go to Starbucks!

    I do remember using AES-GCM (256) and it was a little faster than AES (256). Then I briefly used IKEv2 with only "SHA2-256-AES (256)" in the "Phase 1 Transforms" section and it was better, but I have no definite speed figures.

    Gregg Hill

  • Gregg, and for others reading this...
    I setup the IKEv2 and let me tell you - night and day. Feels like I'm on sitting in the office with the server in the other room. My goodness. IKEv2 is definitely the way to go. No split tunnelling, but that's a small price to pay.

  • You can configure IKEv2 mobilevpn to do split tunneling.
    But you need to do this configuring in Windows machines, not in the Firebox device.

    In Windows open PowerShell (Run as admin).
    Set-VpnConnection “WG IKEv2” -SplitTunneling $true
    Add-VpnConnectionRoute “WG IKEv2” 192.168.10.0/24

    More vpn commands:
    https://docs.microsoft.com/en-us/powershell/module/vpnclient/?view=windowsserver2019-ps

  • How did you configured IKEv2?
    We are using IKEv2 too but people with a gigabit fibre connection can download with 1 to 8mb at maximum (it depends on the provider)
    The company is connected with 1gb up and down.
    What are your encryption parameters?

  • @pkokkinis - do you happen to have any numbers on the relative speed difference between SSL and IKEv2? (You reported 3-7 Mbps with SSL, and then that IKEv2 felt like "night and day", but I am wondering if you could provide some rough guidance with numbers). I have having similar issues with slow VPN and am trying to get a better sense of other people's experiences.

  • Fireware V12.9 now supports split tunneling for IKEv2

  • @ibrown I tested just now while at my house, which has a max upload of 40Mbps and transfer rates over ikev2 from my home computer to the office server were around 39Mbps. It's a beautiful thing.

  • @Bruce_Briggs said:
    Fireware V12.9 now supports split tunneling for IKEv2

    Excellent!

    I may now give this another try.

    Is it safe to run the IKEv2 wizard without it breaking the existing SSL-VPN service?

  • Yes.
    You can have multiple types of VPN client types active on the firewall, and active on a PC.
    The setups are different and don't interfere with one another.

    Not that 2 brands of SSLVPN on a PC will cause issues, usually with the 1st one installed.

Sign In to comment.