This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recommended IPSec Policies for best performance

Hello all,

Long time Sophos UTM users here.  We have three offices and a HP ProLiant G9 in each office running Sophos UTM in Chicago, Seattle and Los Angeles.  We're running Teradici PCoIP that requires the best throughput and lowest latency possible between the sites.  Teradici uses both TCP and UCP for it's PCoIP protocol, so I'm not sure if running over a TCP IPSec S2S vpn is ideal.  We're around 44-46ms and latency is the highest priority, looking to optimize our policies a bit better as I know they are out of whack!  I've read something about AES 128 GCM using hardware acceleration on intel processors, looking for tweaks like that to speed up our IPSec connections between sites.  I've included a screen grab of our VPN policy.  

 

Any help would be much appreciated!!



This thread was automatically locked due to age.
  • From my reading, the most important issue for performance tuning is to prevent packet fragmentation.   You need to reduce the MTU on the inside interface, so that after the tunnel envelope is added, the original payload still fits in one packet at the outside interace.   Of course, you also have to consider the possibility that an intermediate hop along your Internet path uses a smaller-than-1512 MTU, because you do not want packets fragmented along the route either.

    The Cisco support site has a long article about IPSEC Fragmentation and MTU Path Discovery that was my primary learning tool.   I think they abbreviate "MTU Path Discovery" as MTUPD in some contexts.

    Assuming that all hops are based on Ethernet technology, I think an inside MTU of about 1412 usually works, but the article provides the algorithm.

  • Thank you!  I'll read into that a bit. 

    Any thoughts on going to SSL S2S VPN instead of IPSec?  I've seen UDP is a possibility there and maybe that would help?

  • Bob Alfson is a fan of UDP because it is noticably faster.  I am more of a skeptic because even in a SSL VPN session, UDP allows for lost packets.   Sophos documentation says that UDP is ideal for streaming traffic (music, voice) where discards are acceptable.    PCOIP/BLAST may fit in that category.   

    VMWare documentation definitely recommends moving from PCOIP to BLAST wherever possible.

    Do you need the VPN tunnel?   Doesn't PCOIP/BLAST use TLS encryption already?   

    If I have my facts straight, double encryption may be a reason to avoid SSL VPN.   It seems to me, without evidence, that having TLS-within-TLS is more likely to cause problems than using TLS-within-IPSEC.

  • Hi Ross,

    is there anything which we need to know to prevent the use of the connection without a tunnel? PCoIP is encrypted anyway, the MTU is best used without overhead and so on. So if possible try to connect not through tunnel. Latency will always have a small increment via tunnel.

    Best

    Alex

    -

  • Yep, that's gotta be the way to go.  I'm not sure why I didn't think about NOT using the tunnel for PCoIP to begin with.  I'm going to give that a go.

    Thank you all for the help!!

  • I don't think a lost UDP packet would go unnoticed by SSL VPN, Doug - it certainly doesn't by IPsec.  What do you think?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA