This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recommended IPSec Policies for best performance

Hello all,

Long time Sophos UTM users here.  We have three offices and a HP ProLiant G9 in each office running Sophos UTM in Chicago, Seattle and Los Angeles.  We're running Teradici PCoIP that requires the best throughput and lowest latency possible between the sites.  Teradici uses both TCP and UCP for it's PCoIP protocol, so I'm not sure if running over a TCP IPSec S2S vpn is ideal.  We're around 44-46ms and latency is the highest priority, looking to optimize our policies a bit better as I know they are out of whack!  I've read something about AES 128 GCM using hardware acceleration on intel processors, looking for tweaks like that to speed up our IPSec connections between sites.  I've included a screen grab of our VPN policy.  

 

Any help would be much appreciated!!



This thread was automatically locked due to age.
Parents
  • From my reading, the most important issue for performance tuning is to prevent packet fragmentation.   You need to reduce the MTU on the inside interface, so that after the tunnel envelope is added, the original payload still fits in one packet at the outside interace.   Of course, you also have to consider the possibility that an intermediate hop along your Internet path uses a smaller-than-1512 MTU, because you do not want packets fragmented along the route either.

    The Cisco support site has a long article about IPSEC Fragmentation and MTU Path Discovery that was my primary learning tool.   I think they abbreviate "MTU Path Discovery" as MTUPD in some contexts.

    Assuming that all hops are based on Ethernet technology, I think an inside MTU of about 1412 usually works, but the article provides the algorithm.

  • Thank you!  I'll read into that a bit. 

    Any thoughts on going to SSL S2S VPN instead of IPSec?  I've seen UDP is a possibility there and maybe that would help?

  • Bob Alfson is a fan of UDP because it is noticably faster.  I am more of a skeptic because even in a SSL VPN session, UDP allows for lost packets.   Sophos documentation says that UDP is ideal for streaming traffic (music, voice) where discards are acceptable.    PCOIP/BLAST may fit in that category.   

    VMWare documentation definitely recommends moving from PCOIP to BLAST wherever possible.

    Do you need the VPN tunnel?   Doesn't PCOIP/BLAST use TLS encryption already?   

    If I have my facts straight, double encryption may be a reason to avoid SSL VPN.   It seems to me, without evidence, that having TLS-within-TLS is more likely to cause problems than using TLS-within-IPSEC.

  • I don't think a lost UDP packet would go unnoticed by SSL VPN, Doug - it certainly doesn't by IPsec.  What do you think?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I don't think a lost UDP packet would go unnoticed by SSL VPN, Doug - it certainly doesn't by IPsec.  What do you think?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data