Site-to-Site IPSEC Extremely Slow

I have an IPSEC tunnel established between two sites that are within 30ft of each other (the buildings are next door).  Both sites get 100Mbps down / 10 Mbps up.  I setup an IPSEC tunnel between both sites using the default configuration of DefaultHeadOffice and DefaultBranchOffice in the IPSEC settings.  I have policies allowing LAN to VPN and VPN to LAN.  Everything is all pretty basic.

Once I setup the tunnel, I tried to do a simple file transfer of one 20MB file between a branch workstation and a server at Head Office.  It transferred the file at a speed of 0.7Mbps.  Considering both sites get 10Mbps upload, and given some overhead for the VPN tunnel, I would expect the speeds to be at least 7 or 8 Mbps, not 0.7....  Does anyone else have any experiences of insanely slow site-to-site IPSEC tunnels or have any recommendations?

The Head Office has an XG125 and remote office has an XG105 running MR2.  Both are at 50% memory usage and between 0-10% CPU usage.

  • In reply to scaledem:


    there are any updates from the support?

    Thank you.


  • In reply to Stefano27383:

    I am also curious as to what support has to say on this.  What are some speeds that others are getting from Site to Site Ipsec tunnels and SSL VPN Tunnels?  

  • In reply to ThomasKilgore:

    Hi Thomas,

    Please DM us the case ID so we may check the issue, we would require our support to investigate this issue.

  • In reply to ThomasKilgore:

    Our issue turned out to be HA MTU based. We're using a simple router to handle VDSL for a HA configuration. We had to reduce the MTU on the Sophos WAN ports that connect to that router. We'd moved to Site to Site SSL VPNs that worked around the performance issue, but now they're back on IPSEC they're working fine.

  • In reply to rogermwl:


    I have posted a few weeks ago about IPSec speed being slower than expected (240 Mbps) on 1Gbps link.  My conclusion was that Sophos isn't using the AES-NI encryption chip when it is available, but no one could confirm this.  My tests were between software Sophos XG residing on VMs under ESXi 6.7, and also a XG 125 rev3 appliance.  I tested the same architecture between 2 pfSense VMs and with AES-NI active and I could get around 1Gbps (out of 5.5 Gbps of max bandwitdh on the virtual switch), and around 320 Mbps when AES-NI was deactivated.

    Now I am testing the same IPSec performance between an XG 105 and 115 (bot rev3) in a private lab with 1Gbps link, and the max throughput I can get with the standard HQ/Branch policy is ~100Mbps for an Site-To-Site IPSec VPN.  Again, I am very concerned about Sophos not offloading to the AES-NI encryption cpu.

  • I used the SG model of Sophos Firewalls. But was having pretty much the same issue described here.


    What ultimately solved it for me was adding an exception rule in IPS for IPSEC and L2TP or from my VPN IP Pool.


    After I did that the traffic was no longer strangled.