Hallo Klaus,
Now the Community knows that performance depends on several things.
If you really want the SSL VPN to be slow, use the TCP protocol and a 4096 key length.
If you want to get the best performance you can from IPsec, get a device with a CPU that supports AES-NI and use a Policy like:
Cheers - Bob
Thank you for the Feedback Bob.
Maybe my spelling was a bit wrong. I have two UTMs and I want to have the best possible Side 2 Side VPN between them in the topic of performance / speed.
My experience was that SSL VPN between two UTMs is not that having great performance. So the idea was to switch to IPSEC. Before switching I just wanted to know if IPSEC will have more speed between two UTMs.
Thanks,
Klaus
Yes, Klaus, using the IPsec Policy I recommended above will be faster than the SSL VPN Site-to-Site. If you don't have a CPU that supports AES-NI, use "AES 128 (128 bit)" for the encryption algorithm.
What devices do you have running UTM?
How are you measuring the performance and what were your results with the SSL VPN and then with IPsec?
Cheers - Bob
Hi Bob,
I have a SG115 on one side and an ASG320 on the other.
Just did a testing of your recommend policy AES 128 on IPSEC and the speed I'm getting was around 1MB/s. With SSL I was having between 6 to 12 MB/s.
Testing with a standard SMB copy of a 100GB file.
Seems like SSL is truly better performing between these two UTMs.
Regards,
Klaus
Hi Bob,
I have a SG115 on one side and an ASG320 on the other.
Just did a testing of your recommend policy AES 128 on IPSEC and the speed I'm getting was around 1MB/s. With SSL I was having between 6 to 12 MB/s.
Testing with a standard SMB copy of a 100GB file.
Seems like SSL is truly better performing between these two UTMs.
Regards,
Klaus
I would have expected a much faster connection, Klaus. What happens if you copy directly from one device to the other instead of using a file share. I would try this using RDP.
You might be interested in reading Slow large file copies via file-share, but fast if using http (both with IPSEC VPN) from a couple years ago. Let us know if you try any of the suggestions in the various posts and what you end up with.
Cheers - Bob