Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 7941 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Tunnel

SecretSquirrel__

 Hey Everyone, 

 

I have an IPsec tunnel connecting multiple offices together and was wondering if someone could guide me to a better solution possibly?

 

My Question is that I am having data being transferred between the different sites continuously and was curious what the throughput would be for my current setup and if there is a better config that provides good security/speeds?

 

Heres my current config;

IKE: Auth PSK / Enc 3DES_CBC / Hash HMAC_MD5 / Lifetime 28800s / DPD
ESP: Enc 3DES_CBC / Hash HMAC_MD5 / Lifetime 28800s



This thread was automatically locked due to age.
  • 0

    Add overhead by changing to sha2 and aes or newer emcryption.

    Then use ping -f -l  to find the maximum packet that can pass the tunnel without fragmentation.   Lower your inside mtu to that value or less.  Some overhead is variable, so adjusting downward can be needed.   You want to ensure that the packets can have ipsec overhead added without causing fragmentation of the original packet into multiple pieces.

  • 0

    3DES is old and clunky.  I prefer "AES-128 PFS" to other policies using AES-256 as I read somewhere that there was a vulnerability in using AES-256 for ESP.  Although, as Doug says, using SHA2 consumes more resources, if you have fast-enough hardware, I'm with him on recommending it as more secure than MD5, especially for ESP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to DouglasFoster

    awesome thanks for the information! :D

Unfiltered HTML