This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Performance IPsec vs SSL (Site 2 Site)

Hi Folks

has someone tested the performance difference between a SSL VPN and the IPsec VPN (both Site 2 Site)?

I am planning to change (because of a very special router) to migrate. Both internet connections are VDSL.

Yours
r2k


This thread was automatically locked due to age.
Parents
  • Good question!  Please make some measurements and report back to us even if someone else has something to offer.

    Thanks - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I asked about this 8/11 and got no response.

    I would have thought Astaro would publish something.

    When you talk with them they claim "it should be faster" but have no numbers.

    (1% or 20%)

     The comment I got, that may make it difficult to accurately judge, is that using UDP may make it pull ahead with large files.

       Tom
  • Hi,

    it would be helpful if someone can tell us the experience in Performance in SSL over IPSEC Side to Side VPN.

    I currently have the feeling that SSL is not having a great performance instead of IPSEC.

    Thanks,
    Klaus

  • Hallo Klaus,

    Now the Community knows that performance depends on several things.

    If you really want the SSL VPN to be slow, use the TCP protocol and a 4096 key length.

    If you want to get the best performance you can from IPsec, get a device with a CPU that supports AES-NI and use a Policy like:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for the Feedback Bob.

    Maybe my spelling was a bit wrong. I have two UTMs and I want to have the best possible Side 2 Side VPN between them in the topic of performance / speed.
    My experience was that SSL VPN between two UTMs is not that having great performance. So the idea was to switch to IPSEC. Before switching I just wanted to know if IPSEC will have more speed between two UTMs.

    Thanks,
    Klaus

  • Yes, Klaus, using the IPsec Policy I recommended above will be faster than the SSL VPN Site-to-Site.  If you don't have a CPU that supports AES-NI, use "AES 128 (128 bit)" for the encryption algorithm.

    What devices do you have running UTM?

    How are you measuring the performance and what were your results with the SSL VPN and then with IPsec?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I have a SG115 on one side and an ASG320 on the other.
    Just did a testing of your recommend policy AES 128 on IPSEC and the speed I'm getting was around 1MB/s. With SSL I was having between 6 to 12 MB/s.

    Testing with a standard SMB copy of a 100GB file.

    Seems like SSL is truly better performing between these two UTMs.

     

    Regards,
    Klaus

  • By the way.. On the data sheet on both devices it will tell you Throughput details for VPN.

    UTM 320 = 80MB/s

    SG 115 = 42,5MB/s

    Not sure if this is only theoretical data...

  • I would have expected a much faster connection, Klaus.  What happens if you copy directly from one device to the other instead of using a file share.  I would try this using RDP.

    You might be interested in reading Slow large file copies via file-share, but fast if using http (both with IPSEC VPN) from a couple years ago.  Let us know if you try any of the suggestions in the various posts and what you end up with.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data