This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG IPSEC VPN tunnel between XG 18.5

We have a multi-nation setup in Europe. The data center is in Zurich (XG330). All other locations (XG135) only need a tunnel and a breakout ISP. All locations have <20 employees.

As this setup is all over Europe from Spain to Poland, we connected the XG Firewall simply by using policy-based IPSEC Tunnels to our central Zurich XG330.

We realize that the throughput is very different as well as the latency. This is somehow expected (more distance = more hops = more latency) .

We are looking for a way the get the fastet connection by throuput and the fastest connection by latency.

What is the best practice for this? policy-based IPSEC or reoute-based IPSEC or site-to-site RED tunnel?



This thread was automatically locked due to age.
Parents
  • Hello,

    There is Thumb rule when you come up with low throughput with IPSEC ,Below can be performed :

    • In IPSEC policy both the side , make the encryption and Hash algorithm to 3 DES and MD5. Disable PFS in Phase 2 .
    • Do not use Compression, it would only be helpful in satellite networks.
    • Check the LAN to VPN rule for this specific tunnel and apply this command : set ips ac_atp exception fwrules <Rule-ID>
    • Once done ,  enable the the tunnel and check .
    • This is only for test purpose , using 3des and Md5 is not considered to be secure.

    If the above one does not help then the best way is to configure SSL site to Site VPN , It should improve the performance by 20-40 %.

    Using policy based or route based IPSEC would not make much difference . SSL site to site to considered to be faster then IPSec due to its Underlying Technologies.

    Upvote if you like the answer.

    Sophos Certified Architect

    Ex-Sophos High Touch Technical Support Engineer

    Securing Fortune 10 Companies across world

    Expertise In XG firewall

    Stay in Touch : exion@protonmail.com

Reply
  • Hello,

    There is Thumb rule when you come up with low throughput with IPSEC ,Below can be performed :

    • In IPSEC policy both the side , make the encryption and Hash algorithm to 3 DES and MD5. Disable PFS in Phase 2 .
    • Do not use Compression, it would only be helpful in satellite networks.
    • Check the LAN to VPN rule for this specific tunnel and apply this command : set ips ac_atp exception fwrules <Rule-ID>
    • Once done ,  enable the the tunnel and check .
    • This is only for test purpose , using 3des and Md5 is not considered to be secure.

    If the above one does not help then the best way is to configure SSL site to Site VPN , It should improve the performance by 20-40 %.

    Using policy based or route based IPSEC would not make much difference . SSL site to site to considered to be faster then IPSec due to its Underlying Technologies.

    Upvote if you like the answer.

    Sophos Certified Architect

    Ex-Sophos High Touch Technical Support Engineer

    Securing Fortune 10 Companies across world

    Expertise In XG firewall

    Stay in Touch : exion@protonmail.com

Children
No Data